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1 PROCEE D 


2 COURT: Good morning. 


3 MR. FRANK: Good morning, your Honor. 


4 MR. NEMTSEV: Good morning, Judge. 


5 THE COURT: We're only up to nine jurors, so hopefully 
6 they'll make it through the frigid weather. Did you need to 


. see me on anything? 


8 MR. NEMTSEV: did, your Honor. I wanted to see you 


9 about -—- there's no dispute amongst the exhibits, what's coming 


08:46 10 in and what we can -—- there's a small dispute. It's small. 


1] It's actually very small. There's one exhibit. It's log files 


12 totaling a million and a half, or whatever it is. It's a huge 


13 exhibit. It's a spreadsheet. In that exhibit there's various 


14 columns, and I believe those were pulled from one of the filing 


15 agent servers. In those columns, the filing agent or their log 


16 files say this IP is associated with Delaware, or this IP is 


17 associated with the Republic of Korea. 


18 Now, the government says I'm not entitled to use that 


19 because I contested MaxMind's analysis, but I think it's part 
08:47 20 of the record that's in evidence. 


21 THE COURT: Well, if it's in evidence is it in 


22 evidence? 


23 MR. KOSTO: Your Honor, that exhibit is in evidence, 


24 but they would be seeking to have their cake and eat it too. 


25 They moved to exclude MaxMind as unreliable. That column of 
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alt the exhibit comes from MaxMind and similar databases. So to 
2 suggest -- 


3 THE COURT: I know, but if it's in evidence, can't he 


4 point to it? You've put it in evidence. 


5 MR. FRANK: But, your Honor, we are redacting things 
6 all the time at their request. Here what they're asking for is 


- the exact stuff that they don't want us to rely on. So it's 


8 fine. If that's what they want to point to, then we get th 


9 MaxMind data. 


08:47 10 THE COURT: Do you know where it's from? 


11 . NEMTSEV: No, I don't. From what the government 


12 i from Microsoft. 


13 THE COURT: Let me put it this way: If it's 


14 exhibit, you can point to it, but that might open the 


15 MR. KOSTO: But if Microsoft -- 


16 THE COURT: Excuse me. Tf tt 's an the "in," it's a 


17 marked exhibit, they can point to it. But then you will have 


18 to ask what's that based on, and if the answer is MaxMind, 


19 which it sounds as if it is -- 


08:48 20 MR. FRANK: The answer will be Microsoft. Then we 


21 have to go down the rabbit hole of Microsoft collects it from 


22 places like MaxMind. 


23 THE COURT: It is what it -- what can 


24 evidence? Have you redacted it? 


25 MR. FRANK: Well, this just came up 20 seconds ago, 
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2 THE COURT: But you knew it was in evidence. It says 


i) Delaware. I'm just saying, what's sauce for the goose is sauce 
4 for the gander. 


5 MR. FRANK: And that's exactly our point, Judge, if 


6 wants to put it in, but we can't -- 
7 THE COURT: He's not putting it in. You're putting 
8 in, right? 


9 MR. FRANK: But he's relying on -—- 


08:48 10 THE COURT: Excuse me. If it's in evidence, he can 


11 ask about it. It may open the door. 


12 MR. FRANK: Well, then we'll redact it, but we don't 


13 have like, then we'll need some time to redact that 
14 particular -- 


15 THE COURT: We could just mark it for identification, 


16 but, understand, it might open the door. What do you want to 


17 do? 


18 ‘ AV as I have two minutes to think about 


08:49 20 THE COURT: Yes. I mean, you don't have to when is 


21 it coming? 


22 MR. NEMTSEV: This would be the third witness, 


23 believe? Not the first, the third. 


24 THE COURT: Because it could just be that he's willing 


25 to allow it in about MaxMind but point out how confusing it is 
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i and it's all over the place. But you're going to have to make 


2 a decision because what's sauce for the goose -—- isn't that the 


3 expression? -—- is sauce for the gander. It may not translate 


4 well into Russian. However, you get the point. 


5 MR. NEMTSEV: do get the point. 


6 THE COURT: Okay, all right. What number was this 


7 that we've been talking about? 


8 MR. NEMTSEV: This is Exhibit 71, your Honor. 


9 MR. KOSTO: And practically speaking, your Honor, 


08:49 10 I 71 is a thumb drive with millions of lines of code in 


11 would be all but impossible to redact. 


12 THE COURT: Well, I understand that, but —- 


13 MR. KOSTO: What we would propose is that the parties 
14 not examine on that particular issue within the logs. The jury 


15 won't be able to access it and see it. 


16 THE COURT: Well, that's overruled. If it's in, it's 


17 in. what I'll do is, I'll mark it for identification. 


18 [ them make a decision. What do you want to do? 


19 MR. FERNICH: Let me and Max -- 


08:50 20 THE COURT: Why don't you talk, talk amongst 


21 yourselves, and then I will -- but I'll let them point out the 


22 other, okay? If it says Boston through MaxMind -- isn't that 


23 the name of it? 


24 MR. KOSTO: Yes, your Honor. 


25 THE COURT: I'll just perhaps -- maybe, if you 
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al don't ask about it, I won't let them ask about it. Meanwhile, 


2 I'll mark it for identification when it comes in, and it may be 


3 subject to redaction. I have no idea what it is. I've heard 


4 about this for the first time this morning. 


5 MR. NEMTSEV: think it's going to be impossible, 


6 your Honor, not to ask about it because the witnesses, the ones 
7 that did the investigation, they use this stuff to -- 


8 THE COURT: Then I'll let them ask, okay? 


9 MR. NEMTSEV: Thank you, Judge. 


08:51 10 THE COURT: Okay. That's it. Good. We're waiting 
11 for the other nine jurors. 
12 MR. FRANK: So that means that the MaxMind data comes 


13 Lf they ask about it? 


14 THE COURT: If they ask about it, you can ask about 


16 MR. FRANK: Well, we would be asking about the MaxMind 


17 data, but that's a different witness. 


18 THE COURT: Maybe it is. I don't know. I can't -- 


19 MR. FERNICH: It's hard to rule on this in a vacuum 


08:51 20 because I don't know what he's going to ask about it. It could 


21 be a one-question thing and gone, goodbye. I mean, we really 
22 don't know what it is. 


23 THE COURT: It depends what the answers are. I will 


24 listen and I will be instructed, but I can't let you do one 


25 thing that I don't allow them to do. 
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alt MR. NEMTSEV: understand. 


2 MR. FRANK: Thank you, Judge. 


3 THE COURT: Do you need me? Pert 


the record.) 


4 (Discussion o 


5 (A recess was taken, 8:58 a.m.) 
6 (Resumed, 9:20 a.m.) 


7 THE COURT: You're still under oath, the interpreters. 


8 Thank you. 


9 THE CLERK: Okay, let me get the jury. It's going to 


09:20 10 take a second, Judge. 


11 THE COURT: The last juror just arrived. 


12 MR. KOSTO: Your Honor, would you like Mr. Brawner on 
13 the stand now? 


14 THE COURT: That's a great idea. 


LS THE CLERK: All rise for the jury. 


16 (Jury enters the courtroom.) 


17 THE COURT: Thank you. Good morning. You may be 


18 seated. Let me ask you, did anyone speak about this case? 


19 anyone see anything in the press? Anyone see anything in 


09:22 20 social media? Anyone communicate with any of you? All right, 


21 [ find the jury has complied. 


22 And I do understand we're getting going a little late 


23 because one or two of you were delayed. Of course, as Murphy's 


24 law would have it, we had a little snow this morning, but 


25 whoever was late -- I forget -- did the right thing and called 
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1 Jury. But right now we have two new numbers for you to call 


2 because the jury staff isn't always in when a jury isn't being 


3 impaneled. So we've given you the numbers that you can call, 


4 Maryellen or Maya, if there's a delay, so that way we know, as 


5 we did this morning, which was great, exactly what's happening. 


6 The second thing is, ij for some reason you get lost, 


7 just don't walk into this room. You never know what issue we 


8 may be arguing; for example, maybe something you shouldn't 


9 hear. So if there's an issue, just go back down to the second 


09:23 10 floor and ask them for help in getting upstairs. 


11 So right now we're starting with I believe our first 


12 witness. You all have your notebooks, pens? And hopefully 


13 your tech is still working, although we're always crossing our 


14 fingers. 


iS) So go ahead, Mr. Kosto. 


16 MR. KOSTO: The United States calls Marcus Brawner. 


A} THE CLERK: Sir, could you please stand and raise your 


18 right hand. 


19 MARCUS BRAWNER 


09:23 20 having been first duly sworn, was examined and testified as 


AL follows: 


22 ERK: Could you please state and spell your last 


23 


24 THE WITNESS: My last name is Brawner, 


25 THE COURT: Uh-uh. We can't hear you. This is a 
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1 giant-sized room. So pull in this mic here so we can really 


2 hear. 


3 THE WITNESS: All right. Brawner, B-r-a-w-n-e-r. 


4 THE CLERK: Thank you. 


5 MR. KOSTO: May I proceed, your Honor? 


6 THE COURT: Yes. 


7 DIRECT EXAMINATION BY MR. KOSTO: 


8 Q. Mr. Brawner, would you pull that microphone nice and 


9 close. We'll let you know if it's too loud, and I'll do my 


09:24 10 best to -- 


11 THE COURT: It's always a fine art because sometimes 
12 it's so close, it pops Lee's ears. So we just want to make 


13 sure, though, that the jury can hear. 


14 And if you can't hear, just raise your hand and say "I 
15 can't hear." All right. 
16 MR. KOSTO: Your Honor, the government would offer 


17 Exhibits 237, 238, 239 and 240, 73, 74 -—- 


18 THE COURT: Wait, wait, wait, wait. We don't speed 


19 read here. 


09:24 20 MR. KOSTO: slow it down. 


21 THE COURT: 238 


22 MR. KOSTO: 239, 73, 74, 75, and 77-A for 


23 identification. 


24 THE COURT: All right. 


25 MR. NEMTSEV: No objections, your Honor. 


09:25 10 


09:26 20 


21 


22 


23 


24 


25 
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BY MR. 


(Exhibits 237-240, 73-75 received in evidence.) 


(Exhibit 77A marked for identification.) 


KOSTO: 


Good morning, Mr. Brawner. 


Good morning. 


What city do you work in, sir? 


Nashville. 


And where do you work? 


I work for a company called Kroll. 


What is Kroll's business? 


Do you work with any particul 


Kroll is in the business of providing risk advisory, 


tigation, and response services. 


ar division of 


I work in the Cyber Risk Division. 


And what's the Cyber Risk Division? 


£ 


Cyber Risk provides a range of cyber security services for 


clients, both preventive in terms of helping them prepare for 


security, 


incidents or intrusions and the like. 


Q. You mentioned incidents. 


"incident response" for the jury. 


A. Sure. Incident response is the discipl 


system, 


as well as responding and investigating into 


Can you describe the term 


ine of 


investigating and responding to and containing a cyber 


intrusion. So, in other words, if someone has broken into a 


our job is to help identify that and get that person 


09:26 10 


09:27 20 


21 


22 


23 


24 


25 
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that issue resolved. 


What is your title at Kroll, Mr. Brawner? 


Managing Director. 


And how long have you worked in the incident response 


field? 


Over twenty years. 


Are you familiar with the company Toppan Merrill? 


Yes. 


Is it sometimes referred to as TM? 
Yes. 


And where is that company headquartered? 


I believe Toppan is headquartered in Minnesota. 


Let me ask you, in late 2019 and early 2020, did Kroll 


Cyber Risk get involved to investigate a possible intrusion on 


Toppan Merrill's computer network? 


A. 


Q. 


A. 


Q. 


We did. 


And what was your role in that response? 


I was one of the lead investigators on that response. 


From your involvement, do you know what Toppan Merrill's 


business is? 


A. 


My understanding is, Toppan Merrill provides business 


services in the area of printing and financial 


help companies prepare things 


applications to 


businesses. 


Q. 


like government filings for their 


And are you familiar with how often those filings that you 
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A described takes place in Toppan Merrill's business? 


2 A. My understanding and from what I saw was, quarterly or 


3 annually is typical. 


4 Q. companies like Toppan Merrill sometimes called "{ 
5 agents"? 


6 A. 


7 Q. What were the names of the Toppan Merrill computer systems 


8 that you were responding to in this incident response? 


9 A. We looked at two primary -- 
09:28 10 THE COURT: Now, when you say "we" —-— 


11 THE WITNESS: Kroll. 


12 THE COURT: Did you personally? 


13 THE WITNESS: Yes, myself and our team. I looked at 


14 two systems in particular. One was an application called 


15 Bridge and one was an application called UIT. 


16 Q. Let's start with UIT. Do you know what that stands 


1] A. It stands for Unit Investment Trust. 


18 Q. And in general terms, what was the Unit Investment Trust 


19 system at Toppan Merrill? 


09:28 20 A. It was an Internet-facing Web application used by some of 


21 its financial clients. 


22 Q. The other system you mentioned was the Bridge system, 
23 correct? 
24 A. 


25 Q. And what was the Bridge system? 
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a A. The Bridge was another Internet-facing application, as 


2 well as a desktop computer application, used by its clients in 


3 the preparation of filings for the SEC and so forth. 


4 Q. And where was the Bridge system physically located, the 


5 computers themselves? 


6 A. The Bridge system included systems in Minnesota as well as 


7 in the cloud, in the Microsoft cloud. 


8 ‘ And was each of them, Bridge and UIT, accessed by way of 


9 Internet? 
09:29 10 


11 Q. Let's start with a few terms that might be helpful for the 


12 jury. Can you tell the jury what an Internet domain is. 


13 A. Sure. An Internet domain is the name -- what we think of 


14 as the name of a website that we visit. So if you visit 


15 Google.com, Google.com is an Internet domain. 


16 Q. How about an IP address or Internet protocol address? 


17 A. So an IP address is a series of four numbers separated by 


18 dots, so it would be something like 123.45.67.89. And an IP 


19 address is much like a phone number that we would think of; it 


09:30 20 represents a system on the Internet. 


21 : Lf I went to your domain example, Google.com, is there 


22 IP address that goes with Google.com? 


23 


24 : And if I went to an IP address associated with Google.com 


25 on my browser, would I end up at Google.com? 
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1 A. Yes. So when you enter Google.com, your computer will 


2 make a query to what's called a "domain name server," and that 


3 server will tell your computer the IP address to use to connect 


4 to Google.com at that point. 


5 O-« It's fair to say the domain name server you described is 


6 kind of like a phonebook? 
7 A. Much like a phonebook, an address book. 


8 THE COURT: What exactly is a server? 


9 THE WITNESS: So a server would be a computer that is 
09:31 10 used to provide services to people or other systems. Soa 


11 desktop computer -- 


12 THE COURT: It's a piece of machinery? 


13 THE WITNESS: It is a piece of machinery, yes. 
14 Q. And in the context of the Judge's question about server, 


15 what is a client? 


16 A. So we would refer to a client -- I would refer to a client 


LS} as the end user of a system. It could also refer to the 


18 software that you as a person might interact with on your 


19 laptop or your desktop computer. 


09:31 20 Q. In late 2018, what was the domain for the UIT system? 


21 A. There were two domains for UIT in late 2018. One was 


22 UIT.MerrillCorp.com and the other was UIT.ToppanMerrill.com. 


23 O. As part of the incident response, did you examine records 


24 of activity on the UIT system? 


25 A. Yes. 


09:32 10 
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Q. Can you explain to the jury what logs are. 


A. Logs are, ine 


ect, an audit trail of activity ona 


computer or related to an application. So logs, if you receive 


a phone bill at home, 


it shows an accounting of all the calls 


that you made in a given month; that would be an example of a 


log. 


Q. But in this case for the computer's activities, not the 


phone? 


£ 


A. Correct, in this case, for a specific system. 


Q.. When was the first suspicious access that you identit 


the Toppan Merri 


ll Ul 


[T network? 


Our investigat 


ion 


£ 


ound an initial compromise and breach 


that system in late November of 2018. 


Let me ask you 


, Mr 


. Brawner, to look at Exhibit 237, which 


in evidence and should be up on the screen in front of you. 


09:33 20 


21 


22 


23 


24 


25 


you have it ther 
Yes. 

KOSTO: 

COURT: 

you touch 

CLERK: 


CO 


CLERK: 


MR. KOSTO: 


I'll use this one. 


e? 


Your Honor, do you have it? 


Is 


it coming up on all your computers? 


the computer screen, so if you -- 


It 


He 


No. 


"s not working. 


can't underscore? 


Tt's broken, unfortunately. 


just lost it on my screen, your Honor. 


Oops, it's back. 


09:34 10 


09:35 20 


21 


22 
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QO. What is Exhibit 237, Mr. Brawner? 


A. This is a web server log from UIT. So this is a log 


showing activity that was taking place on the UIT web server on 
November 28, 2018. 


O- And has Ms. Lewis highlighted the date that you've just 


read aloud? 
A. 


Q. And approximately what time do these log entries on Page 1 


of Exhibit 237 refer to? 


A. They show 11:41:01. 


Q. And looking at Pages 1 -- and I'll ask Ms. Lewis to take 


you forward to Page 2 and Page 3 -- and, Ms. Lewis, if you 


could take us back to Page 1 —-- what activity is Exhibit 237 


showing on the UIT system? 


A. Bach row or each section of the log represents one request 


from a client computer to the UIT server requesting for a 


£ 


specific file name. 


Is there a piece ftware that is running in these 


Ox What is the name of the software that's running? And if 


it's reflected, could you point us to where it is. 


23 


24 


25 


A. So at the end of the second row of each log entry is a 


reference to a program named DirBuster, D-i-r-b-u-s-t-e-r, the 


OS/2 DirBuster project. 
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al: ; What is DirBuster? 


2 MR. NEMTSEV: Objection, your Honor. 


Si THE COURT: Overruled. If you know. 


4 A. DirBuster is a freely available tool that can be used to 


5 perform what we call brute force attacks against a server; in 


6 other words, to try to guess and identify valid file names or 


7 valid paths on a server. 


8 Q. You said "brute force." What is that? 


9 A. So brute force means the idea of rapidly and thoroughly 


09:35 10 guessing or attempting to guess valid information. We often 


11 think about our personal passwords being compromised by a brute 


12 force attack; someone guessed my password by trying all 


13 possible words in a dictionary, for instance. 


14 Q. So if I had a four-digit password, what would be a brute 
15 force attack on that password? 


16 A. So I would try 0000 through 9999. 


ay Q. And how do you recognize this DirBuster 


18 Exhibit 237 as a brute force attack? 


19 A. In this case, we see multiple requests during the same 
09:36 20 second, so each entry that's shown occurred at 11:41:01 


21 seconds. 


22 : Is that true of every entry on Pages 1, 2, and 3? 


23 


24 : DirBuster an authorized program on Toppan Merrill's 


25 network? 
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al : No. 


2 Q. Let me show you Exhibit 238. It's just one page. First 
3 of all, do you recognize it? 

4 A. 

5 Or. And what is it? 


6 A. This is a view of a Microsoft Windows security log dated 


7 December 25, 2019. 


8 Q. Christmas Day? 


9 A. Christmas Day. 
09:37 10 Q. And does the log that you're talking about here show what 


£ 


‘lal computer it's from? 


12 A. 


13 Q. Where is that? 


14 A. In the lower right, the last line indicates the computer 


15 from which this event was recorded. 


16 ; Would you read the name of the computer, please. 


Ay : It's USD10846.TM.ToppanMerrill.com. 


18 ‘ Do you know what "USD" stands for on Toppan Merrill's 


19 network? 


09:38 20 A. 


21 - What is that? 


22 : It signifies a U.S., United States, desktop computer, the 


23 D" meaning desktop. 
24 Ox And in Toppan Merrill's naming system, what typically 


25 follows USD for desk tops? 
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1 A. A string of digits much like a serial number or an asset 


2 number. 

3 : Numbers or letters? 

4 ‘ Numbers. 

5 ; What about USL? 

6 : So the "L" in USL would represent a laptop, so a U.S., 


h United States, laptop computer. 


8 Q. Did you also see computers named with the first two 
9 letters "NA"? 
09:38 10 A. 
11 Ox And what did that correspond to in Toppan Merrill's naming 
12 convention? 
13 : North America. 


14 : What time is the log in Exhibit 238? 


15 ; 4:48:54 a.m. 
16 ‘ And do you know what times on that is? 
17 : That was U.S. Central Time. 


18 ; Farly in the morning? 


19 : Before business hours, yes. 


09:39 20 : And if I can direct you to the middle of the log, there's 


21 row that reads "New Process Name." Do you see that there? 
22 : YEsi. 


23 : What is the log showing when it says "New Process Name"? 


24 : So this log indicates that an application named 


25 migrate.exe was started. So think about if you launch your Web 
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] browser, you're launching a new process. 


2 Q. And did you look at -—- 


3 THE COURT: I don't understand what you just said. 

4 ‘ What's a process? 

5 : So a process is -—- 

6 THE COURT: Don't forget, you're talking, just assume 


7 me, Okay? Not a sixteen-year-old. So just bring it so that 


8 everyone here can understand it, all right? 


9 THE WITNESS: Sure. So any program that you're 
09:40 10 running on your computer runs aS a process. So a process is an 


11 instance of some software that is running on your computer. So 


12 your web browser, Microsoft Word, your e-mail software, each 
13 would be running aS one or more processes on the computer. 

14 THE COURT: All right, so what did we just look at? 
15 Q. So if your example is processes like Microsoft Word or 


16 Safari, the browser, or Outlook, the e-mail program, what is 


LS} the program that's showing up in this log as running? 


18 A. So this log is showing a program named migrate.exe 


19 running. 


09:40 20 Q. Did you look at what migrate.exe was on Toppan Merrill's 
21 system? 
22 A. We did. 


23 or And what was it? 


24 A. It was a renamed copy of a program called PuTTY or PLINK. 


25 Q. And in the plainest of English, what is PuTTY or PLINK as 


09:41 10 


09:42 20 


21 


22 


23 


24 


25 
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a program? 


A. PuTTY or PLINK is a tool often used by system administrator 


to connect to a remote computer for purposes of managing that. 


So it allows you to create a secure connection to another 


computer. 


Q. When you say a remote computer, what do you mean? 


A. So a computer other than the one that you are physically 


sitting at or connecting with. 


Q. And when you say administrator, are we talking 1] 


department? 
A. Yes, most often. 


Q. Okay. So you mentioned that migrate.exe was a renamed 


version of PuTTY or PLINK, correct? 


A. Yes. 


Q. What was the significance to you, as an investigator, of 


fe 


the renaming of PuTTY to a different name? 


£ 


A. As an investigator, we often -- 


MR. NEMTSEV: Objection, your Honor. 


THE COURT: Overruled. 


A. we often see individuals who are trying to hide their 


tracks or perform unauthorized actions may choose to rename a 


file to something other than what it is to hide from the view 


f a security team or someone that might review these logs. 


t been noticed as an expert, and he's testifying 


EMTSEV: Objection, your Honor. I move to strike 
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1 about hypotheticals, “often see, often do." 


2 THE COURT: I'll allow it just in terms of what his 


3 state of mind was as he's investigating this, not that that's 


4 what happened, unless I hear that later. 


5 A. Additionally, the path on the computer where the program 


6 is running from is not a typical path where PuTTY would be 


7 installed or PLINK would be installed. 


8 THE COURT: Is PuTTY or PLINK a valid application 


9 that's normally used in the course of business? 


09:43 10 THE WITNESS: It can be, yes. 


11 Ox And is a renamed version of PuTTY or PLINK something that 


12 Toppan Merrill installed on its network? 


13 c No. 


14 : Let me show you Exhibit 239 in evidence. Do you recognize 


16 : Yes. 


ay ‘ Is this another log? 


18 THE COURT: By the way, I want to remind you, I'm 


19 asking the questions, but I'm sure some of you have questions. 


09:43 20 If you don't understand a term, raise your hand and ask 


21 Maryellen to have it explained, all right? Hand it up to her. 
22 Thank you. 


23 MR. KOSTO: May I proceed? 


24 THE COURT: Yes. I'm sorry. Just to make sure 


25 everybody is understanding. 
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1 . What is Exhibit 239? 


2 : So 239 depicts another Windows event log, in this case, 


3 January 10, 2019. 


4 : t what time of day? 
5 r 1 : a.m. Central Time. 


6 . i of business hours? 


7 : i of business hours. 


8 : And what was the machine that this log is 


9 . The computer name this log is for is 


09:44 10 USD10472.adminassist.mrll.com. 


11 Q. Is that the same or a different computer from Exhibit 238? 


12 We can go back and look if it's helpful. 


13 MR. KOSTO: Ms. Lewis, would you kindly take us to 


15 : What was the computer in 238? 


16 : It is a different computer. 238 shows USD10846. 


17 ; And Exhibit 239 shows what? 


18 : USD10472. 


19 : Remind us, USD stands for? 


09:44 20 : U.S. desktop. 


21 : Do you know the user that USD10472 was assigned to? 
22 : This computer was assigned to a user named Arthur 


23 Smallman. 


24 Q. Do you see reference in this document at the line "Source" 


25 toward the bottom to the word "PowerShell"? 
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2 Q. Can you explain to the jury what "PowerShell" is. For 
3 starters, is it a program? 


4 A. Yes. PowerShell is a component of Microsoft Windows, the 


5 operating system that provides typically an administrator of 


6 the computer the ability to manage and configure and control 


7 that computer. So the word "shell" in technology sense is 


8 essentially a command prompt, a place where we can interact 


9 with and instruct the computer, and PowerShell is installed on 


09:46 10 virtually all of Microsoft Windows systems. 
11 Os And in this case, does a user need to be sitting at the 
12 computer that they are managing with PowerShell? 


13 A. No. 


14 QO. How does that work if the user of PowerShell isn't sitting 


15 at the computer that is being acted on? 


16 A. So PowerShell has the ability to facilitate connections to 


A} a remote computer for the purpose of instructing that remote 


18 computer. So I can sit at my laptop, for example, and execute 


19 commands or instructions on a computer somewhere else over a 


09:46 20 network. 


21 Ox Do you see a reference in the second line of Exhibit 239 


22 "invoke Mimikatz"? 


23 


24 : What is Mimikatz? 


25 . Mimikatz is a program that is used to extract or dump 


09:47 10 
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passwords from the computer from which it's run, often for, I 


would say often unauthorized —-— 


MR. NEMTSEV: Objection, your Honor. 


COURT: Sustained. 


MR. NEMTSEV: Move to strike. 


Q. What is the date associated with the "invoke Mimikatz" 


command here? 


It's January 10, 2019. 


And what program was used to initiate that inst 


PowerShell. 


ruction? 


Was Mimikatz, the credential scraping tool, a tool that 


£ 


Toppan Merrill had installed 


No. 


Let me direct your attention to Exhibit 240. 


log for now. Do you see it there? 


09:48 20 


21 


22 


23 


24 


25 


Yes. 


Do you recognize it? 
Yes. 


What is it? 


or authorized use on its system? 


This is another Microsoft Windows PowerShell log that is 


depicting the copying of the PowerShell application 


instance with a different name; in other words, crea 
of PowerShell under a different name, in this case R 


as shown in the log. 


to another 


ting a copy 


DTEVC.exe, 


MR. KOSTO: Ms. Lewis, could you please highlight the 
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il line that begins "host application." 


2 ‘ You mentioned RDTEVC.exe a second ago; is that right? 
S . Yes. 

4 ‘ What's happening in the line that Ms. Lewis has 

5 highlighted? What's the code doing here? 


6 A. So the Windows PowerShell application is being instructed 


7 to make a copy of itself into another file named RTDEVC.exe. 


8 Q. So this is a renaming of PowerShell? 


Dp 


9 A. Effectively, yes. 


09:49 10 : And let me take you to the bottom of Exhibit 240, the 


11 ifth page, bottom half. Do you have it there? 


13 : IT ask you, with reference to the last three lines of 
14 this code, in human terms, what's going on here? 


15 A. So this is a view of instructions that were passed to 


16 PowerShell, in this case asking PowerShell and the computer to 


1] make a connection to an internet domain called 


18 cloudAPIfinance.info. 


19 : Is that in the middle of the first highlighted line? 


09:50 20 


21 Q. And was establishing a secure connection to 


£ 


22 cloudAPIfinance.in 


o part of this machine's typical use? 


23 


24 : Did Kroll and you find other internet domains and IP 


25 addresses that Toppan Merrill computers were connecting to 
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1 during the course of your engagement? 


2 A. Yes. 
3 Q. And can you describe them for the jury generally, these 


4 domains. 


5 A. We found several domains that were not known to Toppan 
6 Merrill that computers were connecting to. Each of the domains 


7 were named in permutations that would suggest that they were 


8 finance-related domains. So here it was Cloud API Finance. I 


9 believe we also saw FinancecloudAPI.com, and other similar 
09:51 10 domains. 
11 Ox About how many were there? 
12 : Approximately eight. 
13 : And did each of those domains that you found correspond to 


14 IP address? 


16 Q. And as you sit here today, can you recall the name of 
LS and every one from memory? 


18 A. No. 


19 Q. Did you make a record of them when the names were fresh in 


09:51 20 your mind? 


21 A. Yes. 


22 Q. For identification, I'm showing you Government's 


23 Exhibit 77A. Does the unredacted portion of this list 


24 accurately describe the domains that you were just testiit 


25 to? 
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2-31 


al : Yes, it does. 
2 ‘ Let me have you read the domains aloud, please. 


Si THE COURT: Well, can we just mark it? 


4 MR. NEMTSEV: Could we just admit it, your Honor? 


is COURT: Yes, I'm with you. 


6 . KOSTO: We can admit it, your Honor. 


7 ] : What number? 


8 . TTA. 


9 ] : Let's: an. 
09:52 10 ‘ And let me ask -—- 


11 So we already have 77A in. Do you want 


13 MR. KOSTO: No. I had moved 77A for identification, 


14 but we're happy to offer it. We would so offer it. Thank you. 


15 (Exhibit 77A received in evidence.) 


16 Q. Could you read the domains on the two pages of 


17 Exhibit 77A. 


18 A. Yes. 


19 THE COURT: You want to sit and read all these? 


09:52 20 MR. KOSTO: There are only eight, your Honor, but, 


21 


22 A. CloudAPIfinance.info, APPFINreport.info, 


23 FNWALLINform.info, developingcloud.info, smartfinancelist.com. 


24 Q. Just three more, Mr. Brawner. 


25 A. Scoreyourmoney.com, finshopland.me, and shopservice.live. 
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2-32 


1 Q. What, if anything, did you do with these domains when you 


2 discovered evidence of them on Toppan Merrill's network? 


3 A. We provided them to Toppan Merrill, as well as law 


4 enforcement. 


5 Q. Are you familiar, based on your work in incident response, 


6 with the term "penetration testing"? 
7 A. 
8 Q. What is it? 


9 A. Penetration testing is a discipline where security 


09:53 10 professionals will attempt to break into a company in an 


11 authorized way, so a company will hire a security person or 


12 team to attempt to penetrate or break into their systems for 


13 purposes of identifying weaknesses or problems with their 


14 system. 


15 Q. Had Toppan Merrill hired anyone to do penetration testing 


16 on its network in 2018, 2019, or 2020? 


Ly A. No. 


18 Q. Let's talk about the Bridge system now, Mr. Brawner. Was 


19 that the second computer system at Toppan Merrill you were 
09:54 20 describing? 
21 A. Yes, it was. 


22 Q. And what was Bridge again? 


23 A. Bridge was an application used by its customers' publicly 


24 traded companies that need to prepare filings for the SEC. 


25 Bridge allows the preparer to sort of automate and speed and 
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1: maintain accuracy of those filings in the preparation of those 


2 documents. 


3 Q. Did Kroll find any accounts on the Bridge system for which 
4 it suspected unauthorized access? 

5 A. 

6 Q. And which accounts? 


7 A. We identified approximately four accounts assigned to 


8 Toppan Merrill employees that were exhibiting suspicious 


9 behavior due to what they were being what they were doing. 
09:55 10 Q. And what kind of access to the Bridge system did those 
11 employee accounts have, based on their usernames and passwords? 


12 A. As employees, they had what we would call administrative 


13 access or broad access to the data within the Bridge 
14 application. 


15 Q. And what would that mean in terms of being able to access 


16 the reporting of different companies? 


Ay A. So an account assigned to a Toppan employee would be able 


18 to view and see records from multiple other customers, as 


19 opposed to an account assigned to an individual customer who 


09:55 20 would only be able to see their own documents. 


21 Q. So if I worked for Coca-Cola company, what parts of the 


22 Bridge system would a Coke employee have access to? 


23 A. I would only have access to Coca-Cola documents. 


24 Q. But these employees that you described, how broad was 


25 their access? 
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1 A. It was broad. They could access documents for any 


2 companies that used the Bridge system. 


3 O.. And did you review logs from the Bridge system in your 


4 investigation? 


5 A. TL -did. 


6 Q. What kind of activity did you see on these employees' 


7 accounts? 


8 A. We saw these employees' accounts accessing and saving 


9 documents from multiple customers in short periods of time. 
09:56 10 Q. What was done to those documents beyond access, if 
11 anything? 
12 A. The logs show specific documents being opened and then 


13 saved to the local computer where the user at the time was. 


14 Q. And what kind of documents? 


15 A. These were draft and final documents for the SEC, so 


16 things like a 10K filing or a draft version of such. 


17 OQ. How far back did the logs that you looked at during your 


£ 


18 investigation go when you first started your investigation at 


19 Toppan Merrill? 


09:57 20 A. Initially, the logs that we reviewed were available 


21 approximately 90 days. 


22 Q. Can I show you Exhibit 73, please. Do you have it in 
23 front of you, Mr. Brawner? 
24 A. Yes. 


25 Q. For starters, if Ms. Lewis can help us, can you tell us 
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1 how many rows are in this spreadsheet? 


2 (Witness examining document.) 
3 ‘ 588. 


4 ‘ And what are these 588 rows? 


5 : Fach row represents a log entry for the Bridge application. 
6 : Any particular user? 


7 : As shown, the user is BenjaminOliver@ToppanMerrill.com. 


8 ‘ And do you see in Column A there's reference to dates and 
9 times? 
09:58 10 A. 
ala Q. What is the approximate date and time range for these 588 
12 rows? 
13 A. The earliest is October 14, 2019, and the latest is 
14 January 16, 2020. 


15 MR. KOSTO: Ms. Lewis, if you'd kindly take us to the 


16 top, I'd like Mr. Brawner to describe for us what Column C is 


ay in this log. 


18 A. Column C depicts the company name, the name of the 


19 customer of the Bridge system that the audit log pertains to. 


09:59 20 : I think you've touched on this, but Column D is what? 


21 : Is the username. This is the user that was logged into 
22 the application at the time of that event. 


23 Q. And Column E, "Document Name"? 


24 A. So document name, where there is a document related to the 


25 activity in the log, the name of the document in question is 


10:00 10 


10:01 20 


21 


22 


23 


24 


25 
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shown. 


So in Row 3, for example, what was the document acted on? 


So in Row 3, a document named C_template_8K. 


And maybe just one more below it for a different example. 


So on Row 12, it shows current_8K_earnings. 


And what client's area was that 8K earnings document 


A client named Winmark Corp. 


MR. KOSTO: Ms. Lewis, would you please take us to 


Column H. 


Is this column headed 


Yes. 


"Name"? 


And what does it describe in the logs? 


So each log entry, the application records the action that 


the entry relates to. So this provides insight into what the 


user was doing relative to 


each log entry. 


Q. And what are the examples of things that appear in this 


first 30 or so rows? 


A. So it starts with the 


depict the starting of the 


entry "add-in start-up," which would 


Bridge application for that user, 


and then followed by things like "open folio at start-up," 


which would indicate a documentary filing that's being opened 


at the outset of using the 


application. And "add-in start-up" 


would be the launching of the Bridge application on the user's 


computer. 


Q. How about "Save as Off 


Fice" menu button there in Row 6? 
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2237) 


1 A. If a user chose to save a copy of the document in question 


2 to their computer, for instance, using Microsoft Word, if 


3 you're familiar with clicking "Save as" to save a copy of 
4 document, that indicates the user chose that action. 


5 QO. One last column to introduce us to. Could you look at 


6 Column G, please. What is "Machine Name"? 


7 A. For each row in the log, the machine name is "USLE 


8 U.S. L-e-d-g-e. 


mu 


9 Q. Was USLEDGE a machine name that you saw on employee 


10:02 10 computers at Toppan Merrill during your review? 


11 A. USLEDGE was not a Toppan Merrill computer. 


12 Q. How do you know that? What's wrong with it? 


13 A. By name, it does not match the convention that Toppan 
14 Merrill used. 


15 Q. What was the convention? 


16 A. So for a U.S. computer, as we discussed a bit earlier, it 


Ly would be a U.S. with a D or L followed by a series of numbers. 


18 MR. KOSTO: Ms. Lewis, if you could take us to 


19 Column A in the row "Date Time Stamp." 


10:02 20 : Do you see references to the letter Z there, Mr. Brawner? 


21 F Yes. 


22 : What does Z tell us about the dates and times in Column A? 


23 : So in a computer log, and in this log, the Z represents 


24 Zulu time, which is another name for UTC, or what we often 


25 think of as London time. 
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i Q. And is that pretty standard in the forensics industry to 


2 have things go back to London time? 
S A. 


4 Q. And Zulu is short for not having to say Coordinated 


5 Universal Time every time you want to talk about a time? 


6 A. Correct. 


7 Q. Okay. What are the times, in Zulu, for the first 35 or so 


8 rows, just, you know, the hour of day? 


9 : it shows 9:00 a.m. and 10:00 a.m., Zulu time. 


10:03 10 on And where were the computers and the computer users 


11 the Bridge system? 


12 A. In Central Time, typically. 


13 Q. So what time did these actions take place in Central Time 


14 that are reflected in Exhibit 73? 


15 A. So 9:00 a.m. would be 3:00 a.m. in U.S. Central Standard 


16 time, and, of course, 10:00 a.m. would be 4:00 a.m. 


17 MR. KOSTO: One more line in Exhibit 73, Ms. Lewis, if 


18 you'd take us all the way to the bottom. 


19 Q. What time did the actions reflected in this log take 
10:04 20 place, rows 587 and 588? 
21 A. So these actions were on January 16, 2020, at 9:35 and 
22 9:39 Zulu time. 


23 : Can you convert that to U.S. Central Time for us? 


24 : So that would be 3:35 and 3:39 a.m. 


25 : Moving from left to right, what company's records were 
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i accessed in these two log entries? 


2 A. TPG Industries, Incorporated. 
3 MR. KOSTO: And, Ms. Lewis, if you could take us over 


4 to the right edge. A little bit further, all the way. 


5 : Do you see Column AA? 
6 : Yes. 


7 ; What are the numbers in rows 587 and 588 for Column AA? 


8 ‘ They show the IP address of the user who was accessing 


9 Bridge and performing the listed actions. 


10:05 10 : And can you read that IP address aloud, please, just one. 


11 : 135.228.119.147. 


12 : At the time, what did you do with that IP address? 


13 : We provided that IP address to Toppan Merrill. We also 


14 researched that IP address to better understand where that IP 


15 address belonged, or what system on the Internet it might 


16 belong to. 


17 ‘ What system on the Internet did it belong to? 


18 : We found it associated with a company called AirVPN. 


19 : What is AirVPN? 


10:06 20 : AirVPN is a company that provides customers with virtual 


21 network services. VPN stands for virtual private network, but 


22 most of us would typically use and purchase a VPN service to 


23 MR. NEMTSEV: Objection, your Honor. 


24 THE COURT: Sustained, sustained. 


25 ; you have a simple example of what a VPN is to help the 


10:07 10 


10:07 20 


21 


22 


23 


24 


25 
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jury understand the term? 


A. Many folks would use a VPN to change their location -—- 


MR. 


NEMTSEV: Objection, your Honor. 


THE COURT: So if you could just say, what is a 


typical use 


of a VPN? 


THE WITNESS: Sure. It is to hide or change your 


actual location to be somewhere else in the interest of 


protecting your privacy -- 


MR. 


NEMTSEV: Objection, your Honor. 


THE COURT: Overruled. 


Q. Was AirVPN a provider you were familiar with at this time 


in your career? 


No. 


Let me 


Yes. 


show you Government's Exhibit 74. Do you recognize 


What is it? 


It is additional Bridge application logs from January 21, 


And what user do these logs concern? 


The username AJS1223@hotmail.com. 


Do you 


Yes. 


Yes. 


know who that user is? 


It was Arthur Smallman. 


Did you mention his name before in your testimony? 


10:08 10 


10:09 20 


21 


22 


23 


24 


25 
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QO. In what context? 


A. An earlier security event that we showed and you showed 


showing the Mimikatz activity on Arthur Smallman's Toppan 


Merrill computer. 


And what was Mimikatz? 


About how many rows are 


Thirty-one. 


It was a password dumping tool. 


there in Exhibit 74? 


What is the machine name from Column H associated with 


one of these rows? 


The machine name was USLEDGE. 


And what is the IP address associated with each one of 


these rows? 


A. The client IP address was 199.249.230.7. 


And just to be clear, when you say the client IP address, 


A. So this would be the IP 


IP address are we talking about? 


address of the computer associated 


with that connection to Bridge and that log-in by the Arthur 


Smallman account. 


Q. Did you provide this address, this IP address to law 


forcement? 
Yes. 


What provider did this 


IP address come back to? 


This IP address also can 


ne back to AirVPN. 


And what kinds of actions in Columns H did occur in these 
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al logs? 


2 A. So the logs show the starting of Bridge, the opening of 


S specific documents, and then the saving of those documents to 


4 the local user's computer. 


5 Q. And in Column E, could you read the first couple kinds of 


6 documents that were accessed. 


7 A. Row 3 shows IBM EX99_1. 


8 Q. What about row 10? 


9 A. Row 10 shows AUB_earningsrelease_EX99_1. 


10:10 10 MR. KOSTO: Ms. Lewis, could you take us to rows 26 to 


1] f Exhibit 74. 


12 : What company's records do these log entries concern? 


13 : Avnet, Incorporated. 
14 Q. And in Column A, what time did the access to Avnet's 


15 records occur? 


16 : 14:28 Zulu, 14:29 -—- 


17 : Can you flip that over to Central Time for us? 


18 : Sure. That would be approximately 8:28 a.m. U.S. Central 


19 on January 21. 


10:11 20 : And what documents of Avnet's were accessed? 


21 : AVY 6x 99-1 or ex 99 dou = 


22 MR. KOSTO: And, Ms. Lewis, all the way to the right. 


23 If Mr. Brawner could please read the IP address one more tim 


24 : 199.249.230.7. 


25 : Did you find evidence on a Toppan Merrill system of 
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alt use of other IP addresses that started with 199.249.230? 


2 ‘ Yes. 
3 ‘ And do you recall which? 


4 ‘ I don't recall the last digit. 


5 : Do you recall the provider that they were associated with? 
6 : They were each associated with AirVPN. 

7 : And do you recall any that included the ending number .42? 
8 : Yes: 

9 ; What was that one used for. 


10:12 10 : .42 was seen in our logs, in the Toppan Merrill logs, 


11 accessing and attempting to access multiple web shells on the 


12 UIT application server. 


13 Q. "Web shells" is a new term for us. Could you please 
14 define it. 


15 THE COURT: Well, could you say the sentence again? 


16 THE WITNESS: Sure. We saw connections being made to 


17 the UIT application server from the .42, the 199.249.230.42 IP 


18 address, attempting to access web shells on the UIT server. 


19 Oz And that last question again was, what's a web shell? 


10:12 20 A. So a web shell is code, or you can think of it as sort of 
21 a web page that's placed on a system by a threat actor, by a 
22 hacker, to provide back-door access into that system. So it's 
23 very small, hard-to-find pieces of code that permit someone to 


24 access a system -—-— 


25 MR. NEMTSEV: Objection, your Honor. Move to strike. 
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al. THE COURT: Overruled. 


2 Q. One last exhibit, Mr. Brawner. Could we show you 
3 Government's Exhibit -—- 


4 THE COURT: Can you say that in English again? 


5 I know it's English for you, but in plain speak. 


6 : In even plainer English, what's a web shell? 


7 A. So think of it as a secret way to get into a system 


8 without the knowledge of the system owner. So, for instance, 


9 if I sold padlocks that had the ability for me to set a 


10:13 10 four-digit code to that lock, but when I manufactured it 


‘lal always knew that, you know, 3456 would get me into that lock, 


12 I didn't tell the owner of that lock that I could do that, 


13 ect I'm creating a back door and a way to access whatever 


14 lock is protecting. 


15 THE COURT: So what's the web shell here? 


16 THE WITNESS: So when you access a website, you're 


17 viewing information that is intended by the website owner, 


18 right? You're viewing documents or content. A hacker will, to 


19 get access to that underlying web server, will upload and place 


10:14 20 code on that server, unbeknownst to the owner of that system, 
21 and they can use that to then connect in and manipulate the 


22 system. 


23 It's a permanent access method? 


24 ] Yes. 


25 : EV: And, your Honor, I would object to this 
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1 line of testimony. He's not been noticed as an expert. 


2 THE COURT: I can't hear a word you're saying. 


3 MR. NEMTSEV: said, I would object to this line of 


4 testimony. He's not been noticed as an expert, and yet he's 


5 testifying as an expert. 
6 THE COURT: Overruled. Overruled. 


7 Q. One last exhibit, Mr. Brawner. Exhibit 75, is this 


8 another kind of log? 


9 A. 


10:15 10 Q. Which system does it come from? 


11 A. This is another log from the Bridge application. 


12 Q. And with Ms. Lewis' help, could you help us figure out 
13 what time period the log covers? 
14 A. So the first row is from January 21, 2020, and the last 


15 row is from January 16, 2019. 


16 Q. So about a year, January, 2019, to January, 2020? 


17 A. 


18 Q. As we went by, did you see the machine name 


19 of those rows? 


10:16 20 3 . Each row in Column D shows the machine named 


21 


22 ‘ this log show the company names and the type of 
23 like the others did? 
24 


25 : if at all, here did Kroll suspect problems with 
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2 . NEMTSEV: Objection. 


3 THE COURT: Sustained. 


4 Q. Was USLEDGE an authorized computer on Toppan Merrill's 

5 system? 

6 A. No. 

7 Q. How did Kroll go about and how did you go about trying to 


8 secure the Bridge system after this incident response? 


9 A. One of the steps that we advised Toppan Merrill to do was 


10:16 10 to reset or change the passwords associated with the Bridge 


11 users where we saw the suspicious activity. 


12 Q. And when did that occur, the password resets? 


13 A. Bridge password resets began in late January of 2020. 


14 Q. And when was the last evidence that you found of 


15 unwelcomed guests on the Bridge system? 


16 A. About the same time, so as the log shows, January 21, 


17 2020. 


18 MR. KOSTO: May I have one moment, your Honor? May 


19 have one moment? 


10:17 20 THE COURT: Oh, yes. 


21 (Discussion off the record between government 


22 attorneys.) 


23 Q. You testified about IP address coming back to AirVPN, 


24 185.228.19.147. Yes? 


25 A. Yes. 


10:18 10 
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Did you provide 


Yes. 


What else did you provide to law 


your review? 


forcement. 


MR. KOSTO: 


MR. NEMTSEV: 


break just to —- 


THE 


MR. 


Every IP address that our review 


und as related to the intrusion, 


that IP address to law ens 


Forcement? 


enforcement in connection 


found related to —- that 


we provided to law 


No further questions, your Honor. 


Your Honor, could we take a five-minute 


Excuse me? 


Could we just take a five-minute break? 


MR. 


10:18 20 


21 


22 


23 


24 


25 


little longer than 


£ 


initially anticipated, so 


use the bathroom before. 


THE COURT: 


less it's a humanitarian need -—- 


have a feeling this is going to take 


I was hoping to 


No. I mean, if you need to go, you need 


to go. We'll just wait for you. 


NEMTSEV: 


THE COURT: 


if someone is -- 


A JUROR: I 


No. I'll deal with it. 


Thank you, your 


We usually take our breaks at 11:00, but 


have a question. 
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iL: THE COURT: No. Well, don't ask it. Write it down. 


2 Maryellen, could you get the question. 


3 THE CLERK: Just the piece of paper. Don't give me 
4 the notebook. 
5 THE COURT: Well, why doesn't he get going, and then 


6 you can write it down and we'll pick it up, okay? 


7 Oh, you have it. All right. 
8 (Pause.) 


9 THE COURT: The question is 


10:20 10 MR. FERNICH: Judge, before the question is asked, 
11 could we be heard on this briefly at sidebar? 


12 THE COURT: Sure. 


13 iBAR CONFERENCE: 


14 . FERNICH: It's not the subject matter of the 


15 . It's the procedure of permitting the jurors to ask 


17 THE COURT: Tf they don't understand, I'll allow them 


18 T'll allow you to see it first. 


19 Do you want me to ask it or you to ask it? 


10:21 20 MR. NEMTSEV: Your Honor to ask it. 


21 THE COURT: I'm happy with the procedure. I was sort 


22 of screening. If it's a question that's sort of going to the 


23 burden of proof, I'm not going to allow it. If you just don't 


24 understand what a VPN is -- 


25 MR. FERNICH: It's a difficult procedure. 


10:22 10 


10:23 20 


21 


22 


23 


24 


25 
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of an authority from the 


THE COURT: 


This is highly technical. 


DC Circuit, 


the case was —-— 


understand, but let me just say this: 


I'm having a hard time following it. 


Let me just start there. This is highly technical. I'm not 


getting realtime either, so I'm really struggling to get it. 


So if some juror doesn't understand a term, I'll 


asked, but 


allow it to be 


not if he's sort of trying to replace 


the burden of 


proof of the government. So I'm happy to have you ask it the 


way you want. 


MR. KOSTO: What I propose, 


THE COURT: No. 


T 


is the way 


( 


the questioning and just ask this question in fol 


if you permit me to reopen 


low-up becaus 


this question will beg another question. 


ind of sidebar conference.) 


I'm going to do it. You know, I'm onl] 


you ask about terms because it is, 


burden of proof here, so I can't let you sort of ask a ton of 


questions. 


means, as 


HE COURT: Okay, the juror's question is -—- and this 


ly going to let 


after all, the government's 


So if you don't understand a term or what the term 


said, just ask the question. 


"Don't most computers use VPNs?" 


MR. FRANK: 


MR. KOSTO: Yes, your Honor. 


THE COURT: 


Don't most companies use VPNs?" 


Oh, you're right, 


think it says "companies," your Honor. 


It says companies, 


"Don't most companies 


10:24 10 


10:24 20 


21 


22 


23 


24 


25 
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use VPNs?" 


THE WI 


for two purposes: 


TNESS: So aS a 


your computer to your company. 


term, VPNS are most of 


ften used 


One is to create a secure connection from 


That's a common use case for a 


VPN. In the consumer market and in the commercial market, 


there are companies that provide VPN services. 


is similar, 


often to provide an 


connection. 


but 


So 


£ 


The technology 


the use case for paying for your own VPN is 


if I'm sitting 


THE COURT: All right 


THE WI 


at home -- 


neasure of anonymity or privacy for your 


, that's probably enough. 


TNESS: Does that help? 


THE COURT: Okay. 


MR. KOSTO: 


Nemtsev raised during the examination. 


THE CO 


EV: The 702 


What? 


Can 


EV: The 702 


EXAM 


NAT 


ON BY MR. NEMTS! 


, your Honor. 


expert issue. 


I begin? Thank you. 


G\7 « 
KV: 


Brawner, 


Correct. 


we've never met before, correct? 


We've never spoken either, correct? 


No. 


The same objection as before which 


don't know what you're referring to -- 


You've spoken to the government agents in this case 
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al multiple occasions; is that right? 


2 e Yes. 


3 : Most recently, I believe January 11, 2023? 


ag 


4 ‘ Yes, in preparation for being here today. 


5 ‘ And that was a meeting with the prosecutors in this case, 


6 potentially agents of the FBI, to go over the questions and 

i answers that they're going to pose to you and the answers that 
8 you're going to give in this case; is that correct? 

9 A. The only conversation with someone from the government in 


10:25 10 that sense was with the attorney discussing the topics for my 


11 testimony. 


12 Q. You and I, we've never had a question-and-answer session 
13 before, correct? 

14 A. No. 

LS , And you've been with Kroll -—- strike that. What is Kroll? 


16 : So Kroll is a global company that provides risk management 


17 advisory services and cyber-security services to businesses 


18 individuals. 


19 : And as part of that offering of cyber-security services, 


10:25 20 i ffers penetration testing to its clients; is that correct? 


21 THE COURT: I'm just having trouble hearing you. 


22 O.. As part of its cyber-security offerings, Kroll offers 


23 penetration testing to its clients; is that correct? 


24 A. Yes, we do. 


25 Q. And how many other companies in the U.S. offer penetration 
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i testing? 


2 A. I don't know. 


3 Q. Would you say it's a common offering by cyber-security 
4 companies? 


5 MR. KOSTO: Objection, foundation. 


6 THE COURT: Overruled. 
7 A. Yes. Many cyber-security companies offer penetration 
8 testing services. 


9 THE COURT: How long were you with Kroll? 


10:26 10 THE WITNESS: My work with Kroll dates back to 1999, 


11 and I've been in various roles at Kroll. There was a period 


12 that I was with a parent company to Kroll, but for most of my 


13 career, I've worked for Kroll. 


14 Q. And Kroll in this case was first contacted after Toppan 


is) Merrill received an SEC subpoena; is that correct? 
16 A. That's correct. 
17 Q. And who, to your knowledge, brought Kroll into the 


18 investigation? 


19 A. I don't recall. 


10:27 20 Q. Was your contact first with Toppan Merrill, or attorneys 


21 for Toppan Merrill, or with the government? 


22 A. I was not the engagement manager at the initiation of 


23 contact, so I don't know for certain. 


24 Q. Were you initially tasked with responding or helping 


25 Toppan Merrill respond to an SEC subpoena? 
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1 A. We were contacted at the point that Toppan Merrill had 


2 identified some suspicious activity on their network in 


3 response to an SEC subpoena. 


4 Q. from my recollection, your initial investigation only 


5 focused on one employee; is that correct? 
6 A. No. 


7 Q. Your investigation was not first focused on Mr. Oliver, 


8 Benjamin Oliver? 


9 A. No. 


10:27 10 Q. When did you identify Mr. Oliver as the potential employee 


11 that was compromised at Toppan Merrill? 


12 A. So as part of the initial gathering of facts from Toppan 


13 Merrill, we learned that there were accounts on Bridge that 

14 were exhibiting unusual activity. 

15 Q. And how many employees does Toppan Merrill have that have 
16 accounts with the Bridge program? 


Ly : I don't know the exact number. 


18 : [Is it fair to say it's about 3,000? 


19 It could be. I don't know. 


10:28 20 : Do you recall if it has employees worldwide? 


21 : I know that Toppan has employees worldwide, yes. 
22 : And those employees also have access to the Bridge 
23 program? 


24 A. Some employees do. Not all employees. 


25 Q. Did you ever meet Mr. Oliver? 


10:29 10 


10:30 20 


21 


22 


23 


24 


25 
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Q. Do you recall how many accounts Mr. Oliver had with Toppan 


Merrill that allowed him to access the Bridge system? 


A. I recall one account in 


had more than one account. 


one account. 


Q. Do you recall that Mr. 


particular. I don't recall if he 


Some employees did have more than 


Oliver in this case specifically 


had a Toppan Merrill email that had access to the Bridge 


account and a Hotmail email that had access to the Bridge 


account? 


A. I believe that is correct. 


oO” And what is Hotmail? 


THE COURT: What is 


MR. 


N 


EMTS 


EV: Hotmail. 


A. Hotmail is an email service provided by Microsoft that's 


often used by consumers and individuals. It's a free email 


service. 


O:. And is it your understanding that multiple Toppan Merrill 


employees used both the Toppan Merrill email address and their 


Hotmail email address to access the Bridge environment? 


A. In some cases, yes. 


Q. Are you aware of Mr. Oli 


his position at Toppan Merril 


A. I'm not aware of Mr. Oli 


Q. Do you know of 


iver using VPNs in connection with 


1? 


iver using any commercial VPNs, no. 


fF any other users at Toppan Merrill that used 
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i commercial VPNs in connection with their positions? 
2 A. No. 
3 THE COURT: Did you go in and look? 


4 THE WITNESS: That is not something that we 


5 specifically sought to validate across the whole company. 


6 Q. And is my understanding correct that Mr. Oliver, and 


7 potentially other users, could add additional accounts into the 


8 Bridge system? 


9 A. Yes. As an administrator, that access would be available. 


10:30 10 Q. So they could potentially add a third account for 


11 themselves, or another account for somebody else, whether it's 
12 a client or one of the other approximate 3,000 employees that 
13 work for Toppan? 


14 : . An administrator would have that ability. 


15 , based on your review of the Toppan Merrill system, am 


16 I correct that both drafts and final earnings reports were 


Ay stored on that system? 


18 A. That is my recollection, yes. 


19 Q. And do you recall whether the FBI or the government in 


10:31 20 this case asked Toppan Merrill, and potentially Kroll, to give 


21 you access to the actual documents that were potentially 
22 viewed? 


23 A. No. 


24 Q. Upon your examination of Mr. Oliver's account -—- and I 


25 believe this was recorded in a memo, but if you recall it -- 
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1 somebody said that he had poor password -—-— 


2 THE COURT: Could you start that again, please? 


3 MR. NEMTSEV: Sure. 


4 Q. In your conversations with the government, in your 


5 conversations with agents of the SEC and the FBI, believe you 


6 mentioned that Mr. Oliver may have had poor password hygiene. 


7 Do you recall that? 

8 MR. KOSTO: Objection. 

9 THE COURT: Well, why don't you just ask the question 
10:32 10 straight up. 


‘lal You know, you're the one who did this investigation. 


12 Did he have poor passport hygiene -- password hygiene? 


13 THE WITNESS: I don't recall specific to Mr. Oliver. 


14 When we see evidence of accounts that are compromised, that is 


15 a fair question when we're thinking about how that password 


16 might have been obtained improperly. 


17 Q. And were there further conversations -- 


18 THE COURT: What does it mean, bad password hygiene? 


19 THE WITNESS: So the idea of, let's say you have an 


10:32 20 online bank account, and you protect -—- your password for that 


21 account is "1234," right, or is an easy-to-know or 


22 easy-to-guess word or phrase, that would be indicative of poor 


23 hygiene because that password could be easily guessed or brute 


24 forced or compromised in some way. 


25 O. And was your concern that Mr. Oliver used the same 
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1 password for Toppan Merrill as he used for his LinkedI 


2 account? 


3 ; I recall that question coming up at one point, yes. 


4 : that was a concern because LinkedIn, prior to that, 


5 was potentially hacked and data was potentially leaked from 


6 LinkedIn; is that correct? 


i A. That was one reason for the concern, yes. 


8 THE COURT: Was his account at LinkedIn hacked? 


9 THE WITNESS: I don't recall. At the time of that 


10:33 10 question, we had not identified the source of the activity 


‘lal under Mr. Oliver's account. 

12 Q. And there was also concern that Hotmail may have also been 
13 breached and may have also had its accounts compromised; is 

14 that correct? 

15 A. Hotmail has had breaches in the past, and individual's 

16 accounts can be compromised, yes. 

17 Q. And do you recall the type of device that was used to sign 


18 in to Mr. Oliver's account on the Bridge platform? 


19 A. Mr. Oliver had a -—- what we identified as the legitimate 


- 


rroma 


10:34 20 or the authorized use of Mr. Oliver's account came 
21 Toppan Merrill computer. 
22 Q. So what was necessary, to your knowledge, to access the 
23 Toppan Merrill Bridge system? 


24 A. A username and a password. 


25 Q. There was no other requirement? 
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1 A. There may have been additional requirements for 


2 users. I don't recall today what those were. 


3 Q. But for the bulk of users, including Mr. Oliver and 


4 Mr. Smallman, there was no requirement, for example, that they 
5 have two-factor authentication; is that correct? 

6 : No, not at that time. 

7 : They weren't required to use a specific company laptop; is 
8 correct? 


9 : No, because the customers could be from anywhere. 


10:35 10 . And they could access the network from any IP address, 


Li whether it's a coffee shop, at home, or the office; is that 
12 correct? 

13 A. Yes. 

14 Q. And how would you rate Toppan Merrill's security -- 

15 MR. KOSTO: Objection. 


16 ; -—- during the relevant time period? 


A} THE COURT: Well, based overruled. Based on your 


18 experience since 1999. 


19 : I did not review the overall security of Toppan 


10:36 20 ill. We investigated two applications and related systems 


21 associated with the incident. 


22 Q. But you testified that you made recommendations, certain 


23 recommendations to Toppan Merrill to change their security 


24 practices and to implement multifactor authentication; is that 


25 correct? 


10:37 10 


10:37 20 


21 


22 


23 


24 
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M 


al 


R. KOSTO: Objection. Misstates the testimony. 


HE COURT: Overruled. 


A. So the Toppan Merrill Bridge application had measures of 


security. 


testimony. 


for users to log into that application, during the course of 


It had audit logging, as evidenced in my earlier 


The requirements for passwords and the requirements 


our investigation, we suggested that those requirements be 


strengthened. In that particular case, that is an application 


that's used by customers of Toppan Merrill. And so as a 


business, 


the requirements are connected with the expectations 


of the customers, not necessarily your business as a whole. 


Q. And Toppan Merrill, in particular, customers predictably 


would have 


high expectations of security, given that they're 


providing Toppan Merrill with draft earnings reports or other 


filings that they intend to be submitted to the SEC and kept 


confidential; is that correct? 


A. I don 


customers, 


"t know the expectations of their individual 


no. 


went through several IP log files, and I was hoping to 


with you Exhibit 73. 


MR. NEMTSEV: Mr. Picard, could you please pull it up. 


CLERK: Hold on. I have to switch over. 


MR. NEMTSEV: Could we pull up Exhibit 73. That's 71. 


we 


to 


go all the way to the left, Mr. Picard. Not the 


the left. Perfect. 
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i : So this is one of those log files that you testified about 


2 1 shows a date, a username, a company name, a document name 


3 t was accessed, correct? 


4 : That is correct. 


bs F In Columns AA, AB, AC, there is additional information 


6 concerning -- or additional information that you gathered. 


7 MR. NEMTSEV: Could we go a little bit to the right, 


8 Mr. Picard. 


9 Q. Column AA, for example, features the client IP address, 
10:39 10 correct? 
11 A. 


12 Q. Column AB features the country of origin, correct? 


13 A. 


14 5. EMTSEV: Could we scroll down a little bit. A 


is) little further. 


16 Q. And in some instances, the log files also feature 


17 and a country, correct? 


18 MR. KOSTO: Objection, your Honor, foundation. This 


19 is the area -- 


10:39 20 THE COURT: This is your log, right? Did you prepare 
21 


22 THE WITNESS: This is the log from the Bridge system 


23 that we reviewed earlier, yes. 
24 THE COURT: That your team prepared, right? 


25 THE WITNESS: Yes. 
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1 THE COURT: All right, so I'll allow him to answer it. 


2 MR. KOSTO: This is the subject we discussed before 
3 court this morning, your Honor. 
4 THE COURT: Overruled. 


5 QO. So in certain instances, there's also a city and a country 


6 and a potential county for the log-ins, correct? 


7 A. 


8 . NEMTSEV: Can we go a little further down, a 


9 little further. 


10:40 10 QO. Here, for example, there's log-ins from Switzerland, 


1] log-ins from New York, correct? 


12 A. Yes. 


13 MR. KOSTO: The same objection, your Honor. 


14 THE COURT: I'd like to know what they are. That 


15 means —- what do those locations denote? Do you know? 


16 THE WITNESS: Yes. So this log is produced by the 


17 Microsoft cloud portion of the Bridge application. And prior 


18 to our investigation, the reason in Column AA there is not an 


19 IP address specified is, that tool was not configured to 


10:40 20 retain -—- it was essentially redacting the actual IP address 


21 from the log. However, it would capture the identified country 


22 or city of that IP address at the time of the connection. 


23 THE COURT: Are you personally familiar with this? 


24 THE WITNESS: I'm speaking from, yes, from my work on 


25 this particular investigation. 
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1 Q. Can we go a little further down. There's a connection 


2 from Minnesota, for example; is that correct? 


3 A. Yes. 


4 Q. Could we go a little further down. Another connection 


5 from New York? A little further. And ultimately connections 


6 from Kansas City, Missouri, correct? 


7 A. Yes. 


8 Q. You didn' find any connections from Boston, Massachusetts; 


9 is that correct? 
10:42 10 MR. KOSTO: Objection. 


11 THE COURT: Overruled. 


12 A. I did not see any connections from Boston in this 
13 particular log, no. 

14 Q. Or in any other log; is that correct? 

15 MR. KOSTO: Objection. 


16 THE COURT: Overruled. 


Ly A. I don't recall if there were connections from Boston in 


18 any other log. 


19 Q. And there's also Column X, which indicates PC. Do you see 
10:42 20 that? 
21 
22 
23 
24 THE COURT: Excuse me. And so those locations were 


25 IP address of what? 
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al. THE WITNESS: So that would be the IP address that was 


2 seen connecting to the application. So if you are, let's say, 


3 at home here in Boston and you connect to a server, that server 


4 may capture that IP address, and then one can correlate that IP 


5 address to a location based on other data to identify where in 


6 the world that IP address may be. 


7 THE COURT: This is not something you yourself —-- 


8 THE WITNESS: No. 


9 THE COURT: All done off of a Microsoft application; 


10:43 10 is that it? 


11 THE WITNESS: In this case, the location data was 


12 provided automatically by Microsoft as part of the log being 


13 created. 


14 MR. NEMTSEV: Maybe I can clarify, your Honor. 


15 Q. Microsoft and the logging server system, once it senses a 


16 connection, it pulls data from that connection, correct? Like 


£ 


17 IP addresses, for example, what kind of username it is; in this 


18 instance, the location and the fact this connection occurred 


19 from a PC? Is that correct? 


10:43 20 A. That's correct. 
21 Q. And by PC, is my understanding correct that that's a 


22 Windows computer? 


23 A. Typically a -- the word -—- typically, PC would signify a 


24 indows computer. I don't know in this log for certain if it's 


25 lways a Windows computer. I believe it would be, though. 
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al MR. N EV: Thank you, Mr. Picard. You can take 


2 this down. 


3 Q. Did you also need a Crossfire application from the Toppan 


4 Merrill environment to view or access some of these earnings 


5 reports? 


6 A. So part of the Bridge application was the website, the 


a website that you would connect to. And then there was an 
8 additional component of the application that is installed on 


9 your computer, on the computer of the person accessing Bridge, 


10:44 10 in this case, because the Bridge application is designed to 


11 work with Microsoft Office documents and spreadsheets, so there 


12 are what's called a plug-in or an additional application that 


13 interfaces with your Microsoft Word to work with Bridge. 


14 Q. In simple terms, would you have to download that 


LS application in order to access a report from the Bridge 


16 environment? 


18 ‘ Did you locate any information indicating who and when and 


19 application was downloaded by potential intruders? 


10:45 20 THE COURT: By potential? 


21 MR. NEMTSEV: ntruders. 


22 THE COURT: Intruders. 


23 THE WITNESS: I apologize. I would like to address my 


24 prior answer about the documents. So the plug-in is the 


25 typical interface to when a user is working with documents in 
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i Bridge. I don't recall for certain if the plug-in is required 


2 in every instance of downloading a document; but when the 


3 plug-in is used, that provides us and provided the richest log 


4 detail about what the user was doing. 


5 Q. So you don't know necessarily when and if that plug-in or 


6 that application, that Crossfire application, is required to 


7 view a certain report or not? Is that -- 


8 A. That is the typical workflow of a user that I saw. They 


9 would use the Crossfire application. I don't recall if it's 


10:46 10 absolutely required in every instance. 


11 Q: Did you observe how that application was downloaded or 

12 when by a potential intruder? 

13 A. When a user logs on to the Bridge application, the website 
14 of Bridge, the ability to download that plug-in would be 

15 available through that application. 


16 Q. Can we take a look at Exhibit 77A. And this is a 


LS) spreadsheet of indicators of compromise, correct? 


19 z you testified to some relevant ones, and you read that 


10:47 20 list and indicated some of those IP addresses, but there's also 


21 portions that are redacted, correct? 


22 


23 ; do those portions contain additional IP addresses, 


24 additional malware that was potentially located on Toppan 


25 Merrill servers? 
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al A. The redacted portions, as best I recall, contained 


2 additional indicators of compromise. 


2 Q. Additional indicators of compromise that may not have 


4 related to this specific instance of intrusion; is that 


is correct? 


6 A. In our investigation, all of the indicators we provided we 


7 believe were related to this intrusion. 


8 THE COURT: That's a different question. What are the 


9 redacted? What's the redacted information? Were those other 


10:48 10 intrusions? 


11 THE WITNESS: No. They were all related to what we 
12 believed at the time to be this intrusion. 


13 Q. Could we take a look at Exhibit 239, please. 


14 . NEMTSEV: Sorry, your Honor, technical difficulties. 


15 COURT: Is your mouse not working? 


16 . FERNICH: It's just not loading. 


17 MR. NEMTSEV: t's not clicking. Maybe we could ask 


18 Ms. Lewis to pull it up. 


19 THE COURT: As you notice, the two key people in this 


10:49 20 room are the paralegals, who know exactly where all of these 


21 documents are. Not that the attorneys aren't doing a great 
22 job, but these paralegals are essential. Here we go. Good. 


23 QO. So this is one of the programs that was located on the 


24 Toppan Merrill servers; is that correct? If we could zoom in 


25 on the first half. 
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1. A. And so, yes. This is a log entry that we identified 


2 during our investigation. 


i) Q. And in this particular instance, it's this program called 
4 "Mimikatz 2.0"? 


5 A. 


6 ‘ EV: And, Mr. Picard, could we go a little 


h bit lower. 
8 Q. And you can see here that it was created by a Joe Bialek, 


9 and you have his Twitter screen name? 


10:50 10 A. That is the original author of the Mimikatz, this 


11 particular Mimikatz script. 


12 Q. So this program, this software, it's wildly -—- well, it's 


13 publicly available, correct? 


14 A. Yes. 


15 Q. Mr. Joe Bialek, he created it and he publishes it, and I 


16 can download it and you can download, and anyone in this room 


Ly can download it at will? 


18 A. Yes. 


19 Q. And most of the programs that you've located on these 
10:50 20 Toppan Merrill servers, they're publicly available? They're 
21 nothing special; is that correct? 


22 A. No. 


23 O.. Meaning I can't access some of these programs just by 


24 Googling them? 


25 A. Most of the programs that we identified are publicly 
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1 available. I can't confirm that all programs that we found 


2 were publicly available. 


3 O. But this one is, and I believe the first, DirBuster, as 
4 well? 

5 A. That is publicly available, yes. 

6 Q. Now, based on your investigation, did you determine who 


7 intruded into Toppan Merrill's servers? 


9 : Did you determine whether it's one person, a hundred 


10:51 10 people, a thousand people? 


12 : Did you determine where they were located when these 


13 intrusions occurred? 

14 A. No. 

15 Q. So you have no idea who was on the other end of the 

16 keyboard, whether it's one person, a hundred, a thousand, or a 
17 million? 


18 A. As a private citizen, as a commercial investigator, 


19 identifying where a person is and who is in a chair is 


10:52 20 typically outside of the domain of a commercial company. 


21 Ox And this is despite the fact that Kroll is considered one 


22 of the best companies in the industry? 


23 A. That is correct. 


24 MR. NEMTSEV: Nothing further, your Honor. 


25 
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] REDIRECT EXAMINATION BY MR. KOSTO: 


2 Q. Mr. Brawner, Mr. Nemtsev asked you about DirBuster and 


3 Mimikatz. Do you remember that? 

4 A. 

5 Q. He suggests to you they were publicly available; is that 
6 right? 

7 ; Yes. 

8 F And there was nothing special about them? 

9 : Yes. 


10:53 10 . What are those two programs used for? 


11 MR. NEMTSEV: I object, your Honor. This goes back 
12 know, what could he potentially use them for -- 


13 THE COURT: What? 


14 MR. NEMTSEV: This goes to what could they potentially 


15 for. 


16 I : Yes, sustained. He did an investigation, 


18 . KOSTO: Mr. Nemtsev asked him -- 


19 THE COURT: What he observed them being used for in 


10:53 20 this situation, I'll allow that. 
21 0. What did you observe those programs being used for in this 


22 incident response? 


23 A. We saw DirBuster being used to guess valid files or pages 


24 on the UIT application. We saw Mimikatz being run to dump 


25 passwords from the memory of the computer; in this case, 
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1 believe Mr. Smallman's computer. 


£ 


2 Q. Okay. Mr. Nemtsev asked you if you knew which of as many 


3 as a million people could have accessed Toppan Merrill's 


4 network; is that right? 

5 A. Could you -- 

6 Q. Mr. Nemtsev asked you whether Kroll had determined which 

7 of as many as a million people had accessed Kroll's network; is 


8 that right? 


9 A. I'm sorry. Could you repeat that one more time? 
10:54 10 Ou Mr. Nemtsev asked you about the numbers of people who 
11 could have accessed Kroll's network, right? 


12 A. Not Kroll's network but -- 


13 Q. I'm sorry. There's the confusion. Who could have 


14 accessed Toppan Merrill's network? 


16 ‘ Did you determine characteristics of the individuals you 


LS) suspected of unauthorized access? 


18 MR. NEMTSEV: Objection. 


19 THE COURT: Sustained. 
10:55 20 Q. What did you notice in your review that was common across 
21 the logs that you reviewed? 


22 A. We saw activity from a common computer name, and in that 


£ 


23 activity, a common pattern of accessing documents from multiple 


24 customers of Bridge, and saving those documents to the user's 


25 computer. 
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1 Q. And was that true for one IP address that you were looking 


2 into or more than one? 


3 A. For more than one IP address. 


4 Q. So how many different IP addresses of concern did Kroll 


5 identify during the investigation, just ballpark? 


6 A. We identified approximately two dozen. 


7 Q. And where did most of those IP addresses come back to 


8 purposes of what provider they were associated with? 


9 A. Most of them came back to AirVPN. 


10:56 10 Q. And regardless of the IP address that it came from, did 


11 they show similar activity in terms of opening files, saving 


12 files, reviewing financial information off of Toppan Merrill's 


13 system? 
14 A. 


15 Q. And as the investigator there, what did that suggest to 


16 you about the number of attacker or attackers? 


17 MR. NEMTSEV: Objection. 


18 THE COURT: Sustained. 


19 Q. Let me ask you a different question. There was some 


10:56 20 testimony about Crossfire. Is that something -- is that 


21 something that comes along with the use of the Bridge 


22 application? 


23 A. Yes. 


24 Q. And did Kroll identify any logs of, you know, specific 


25 downloads of Crossfire on Toppan Merrill's network? 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 72 of 155 


a A. Crossfire was a component of the Bridge application, so it 


2 would -- its downloading could occur, you know, by any user of 
3 the application. 
4 Q. And would the user of the application necessarily need to 


5 know that they were downloading it? 


7 ' You testified about some location information -- 


8 THE COURT: So if you're hacking into Bridge, will you 


9 know that you've also downloaded through Crossfire? 


10:57 10 THE WITNESS: Yes, the component, the Crossfire 


11 component, needs permission on your computer to integrate 


12 itself with your Microsoft Office application, so you would not 


13 be able to sort of install that without acknowledgement by the 


14 user in some way. 


is) Ox In the case of the use of a VPN, would that go to the VPN 


16 computer or all the way back to the original user? 


17 A. It would go back to the original user, whether or not they 


18 were traversing or using a VPN. 


19 Os You testified about some location information, and 


10:58 20 Mr. Nemtsev showed you, I think, Minneapolis and New York and a 


21 few other places. Can you help the jury understand how that 


22 information arrives in the log. First of all, when it's turned 


23 on, is that in the Toppan Merrill log? 


24 A. So those logs are created by the Microsoft platform, and 


25 at the time of the activity, there would have been an IP 
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i address captured. But the policy from Microsoft, the 


2 configuration o t application at the time did not permit 


3 the retaining of t IP address in the log, so oftentimes --— 


4 and sometimes that's done for, you know, for privacy or to 


5 protect information in some jurisdictions. So the log entries 


6 where there's 0000 would indicate that that had been redacted 


7 once that log was made available to Toppan Merrill. 


8 THE COURT: It's a log of the IP address of 


9 person who? Which person? 


10:59 10 THE WITNESS: Whatever computer was accessing that 
‘lal application. 
12 THE COURT: The intruders? 


13 THE WITNESS: Could be, yes. 


14 ‘ And so if there are zeros there, was the logging turned on 


15 ff, in a simple way of thinking about it? 


16 ; When there's zeros, there was no logging of the IP address. 


17 : I'm asking specifically about the city/state pairs that 


18 . Nemtsev asked you about. Where do the city/state pairs 


19 come when they do appear in the logs? 


11:00 20 A. So they would have been —- 


21 Q. Is that something the Toppan Merrill system is, you know, 
22 adding in along with the -- 

23 A. No. That would have been added by the Microsoft platform 
24 automatically. 


25 Q. And where was Microsoft obtaining the city/state 
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1 information? 


2 A. I don't know what source they use to make that correlat 


3 : Are there commercially available sources to obtain that 


4 tnformation? 
3 ‘ Yes. 


6 : Are you familiar with any? 


7 : Yes. 

8 : Such as? 

9 . There are commercial companies. One that comes to mind 
11:00 10 would be MaxMind and other databases. 
11 THE COURT: Do you know what was used here? 


12 THE WITNESS: I don't know what Microsoft uses to make 


13 their correlation. 


14 THE COURT: All right, stop. Stop there. 


£ 


formation about the accuracy of the 


15 Q. Do you have any in 


16 information that the Microsoft software put into the Toppan 


17 Merrill logs? 


18 A. No. 


19 MR. KOSTO: could have a moment, your Honor. 


11:01 20 (Discussion 


the record between government 


21 attorneys.) 


22 Q. Do you have any information about who traded in the 
23 documents associated with the access to Toppan Merrill's 
24 system? 


25 A. No. 
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i . KOSTO: No further questions, your Honor. 


2 RT: Anything? 


3 5 IMTSEV: Maybe two minutes, three minutes? 


4 : Sure. 


5 MR. MTSEV: Thank you. 


6 THE RT: Then we'll take our morning break. The 


7 snack is here, Maryellen has discovered. 


8 RECROSS-EXAMINATION BY MR. NEMTSEV: 


9 Q. Do you have any reason to dispute the accuracy of the 


11:02 10 Microsoft logs -- 


11 MR. KOSTO: Objection. 


12 THE COURT: Well, sustained as asked. Do you know one 


13 way or another, yourself personally? 


14 THE WITNESS: To my experience is, those records are 


15 often accurate. They're not a hundred percent accurate. 


16 Sometimes they might represent a broad part of a region or 


Ay country, but they don't -—- they're not accurate down to a 


18 specific city, for example. 


19 oF Understood. And in your practice, in your experience as 


11:02 20 an investigator for Kroll with 20 years of experience, you 


21 frequently rely on these sort of log files; is that correct? 


22 MR. KOSTO: Objection, your Honor. Unrelated to his 


23 engagement re, which is the subject of his testimony. 


24 THE COURT: Yes, sustained. 


25 : You relied on these particular log files, and you believed 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 76 of 155 


ac to be accurate; is that correct? 


2 : We did not rely on the location information in the logs. 


3 : But the log files that were produced from Microsoft? 


4 ‘ They were as produced from Microsoft. 


5 : And you relied on them as they were produced from 
6 Microsoft, correct? 
7 MR. KOSTO: Objection. Asked and answered. 


8 THE COURT: Yes, sustained. Asked and answered. 


9 MR. NEMTSEV: Could we take a look at Exhibit 77, but 


11:03 10 only for the witness. I don't believe this has been admitted 


1] in evidence. 


12 THE ] : 77A is in. 


13 MR. i iV: Yes, could we take a look at 77 just for 


14 the witness? 


15 THE ] - This doesn't work like that. 


16 THE : If you have it in writing, you can show it 


the record.) 


18 I ussion 


19 . NEMTSEV: Nothing further, your Honor. 


11:03 20 want to default and break the system. 


21 THE COURT: Hey, if there's one thing I have in here 


22 it's -- anyway, thank you very much. And you can leave now. 
23 Thank you. 
24 (Witness excused.) 


25 THE COURT: We can take our morning break. We'll 
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1 start gathering around 11:25, and hopefully we'll be back out 
2 here at 11:30. 


3 THE CLERK: All rise. 


4 (Jury excused.) 


5 THE COURT: Can I see counsel at sidebar 


6 second. 


7 SIDEBAR CONFERENCE: 


8 THE COURT: Who's your next witness? 


9 MR. KOSTO: Our next witness is Mr. Oliver. 


11:05 10 THE COURT: So what I didn't love was suddenly having 


11 an expert issue out of the blue. I gave opportunities for 


12 motions in limine. I'd show up at 8:30. So I allowed him 


13 in -- 


14 MR. KOSTO: We disclosed Mr. Brawner could talk abou 


15 the incident response and terms that he would be using, and it 
16 wasn't objected to, so we didn't have the issue that we did 
17 with Mr. Clarke. 


18 COURT: Well, he was the investigator. He has 


19 25 years of experience. I allowed him in as 701, but it's 


11:05 20 great if I get a heads-up about this stuff. 


21 MR. NEMTSEV: didn't know what he was going to 


22 fy about. 


23 THE COURT: "VPN" is the most common term. 


24 MR. NEMTSEV: didn't object to the VPN. The issue 


25 is when he starts to say, "This software can be used for this." 
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i THE COURT: I sustained a bunch of those. Just give 


2 me a heads-up. 


3 MR. NEMTSEV: The next expert from Stone Turn, 
4 Mr. Hartvigson, might be the same. 


is THE COURT: Okay, I'll be alert to it, but I only 


6 allowed him to testify to what he perceived in common terms in 


- the computer world, but is there anyone who's an actual expert 


8 other than the statistician? 


9 MR. NEMTSEV: Yes. I noticed Mr. Uitto. 


11:06 10 MR. KOSTO: Mr. Uitto is the one who did the forensic 


11 exams of what the FBI seized in the investigation. He was not 


12 objected to. Mr. Kenny is another witness who was -—- he was 


13 not objected to. 


14 THE COURT: I need to be careful. Just this one took 


15 me by surprise. Anyway, I tried to rein it in, but I viewed 
16 him as more of a 701. 
17 MR. FRANK: This is what they do. 


18 THE COURT: At some point if it's this guy, what he 


19 perceived, because he went in and he really didn't have much t 


11:07 20 say other than what he looked at, but there may be others that 


21 go far beyond that. 


22 MR. NEMTSEV: Whatever the disclosure, they said he 


23 could summarize it. It wasn't like a true expert disclosure. 


24 MR. KOSTO: But I think, given the context of the 


25 technical information, your Honor, the jury can get terms like 


11:07 10 


11:37 20 


21 


22 


23 


24 


25 
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IP address, domain." 


THE COURT: Those are just basic terms. 


MR. FERNICH: When he goes into what he observed 


outside his identification, what he typically sees in 25 years 


of experience, that's classic expert testimony. 


realized 


THE COURT: Well, I sustained the objections when 


question. 


back out 


heads-up 


where you were going. 


MR. FRANK: And the defense was asking the same 


MR. NEMTSEV: Well, we had to. We had to. 


THE COURT: Anyway, so we'll get Oliver? 


MR. FERNICH: Yes, our next witness. 


THE COURT: Okay, we'll see you at -—- we'll go right 


at 11:30, but give me a heads-up, okay? I'ma big 


person. All right, thank you. 


(End of sidebar conference.) 


(A recess was taken, 11:08 a.m.) 
(Resumed, 11:38 a.m.) 


THE CLERK: All rise. 


(Court enters.) 


THE CLERK: All rise for the jury. 


(Jury enters.) 


MR. KOSTO: The United States calls Benjamin Oliver, 


Your Honor. 


THE CLERK: Sir, could you remain standing and raise 
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1 your right hand. 


2 BENJAMIN OLIVER, sworn 


3 THE CLERK: Could you please state and spell your last 


4 for the record. 


5 THE WITNESS: My name is Benjamin Oliver. Last name, 


6 O-l-i-v-e-r. 


7 THE ERK: Thank you. 


8 DIRECT EXAM 


9 BY MR. KOSTO: 


11:39 10 Q. Keep your voice right up on that microphone. 


‘lal to keep my voice up as well, Mr. Oliver. 


12 What city do you live in, sir? 


13 : Eden Prairie, Minnesota. 


14 ; Where do you work? 


15 : Toppan Merrill. 


16 ‘ How do you usually refer to Toppan Merrill, your employer? 
17 : Toppan Merrill. 


18 ; How long have you worked at Toppan Merrill? 


19 : I've worked there for four years, since the acquisition of 


11:39 20 my previous company, Merrill Corp., which was -- I started at 


21 Merrill Corp. in 2011. 


22 ‘ So Merrill Corp. became Toppan Merrill? 


23 : Correct. 


24 ‘ Acquisition kind of situation? 


25 . Yes, sir. 
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2-81 


1 ‘ Okay. What's your educational background? 


2 : Bachelor's from UC Santa Barbara. 


3 ‘ What was your degree in? 
4 ‘ Finance. 


5 : What is Toppan Merrill? 


6 : Toppan Merrill's primarily a printing company, but they 


7 also do work in regulatory filings with the Securities and 


8 Exchange Commission. 
9 Q. And who are Toppan Merrill's clients for regulatory 


11:40 10 filings with the Securities and Exchange Commission? 


11 A. Pretty much any company that files publicly. It 


12 smaller companies to larger Fortune 500 companies. 


13 work with some private equity deals. 


14 Q. Does Toppan Merrill do specialized work only for small 


15 companies or only for the largest? 


16 A. No, sir. It's across the board. 


17 Q. What range of industries does Toppan Merrill's clients 


18 cover? 


19 A. I'd call it pretty unlimited. It could be printing, 


11:40 20 banking, could be biotech. Across the board. 


21 Q. Let me ask you about the names of some of the filings that 


22 Toppan Merrill helps its clients file. Okay? 


23 Can we start with a Form 10-Q? 


24 A. Yes, sir. That's a quarterly filing that a company that 


25 is publicly traded has to file with the SEC. It announces 


11:41 10 


11:42 20 


21 


22 


23 


24 


25 
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their performance over the last quarter. 


O-. How many times per 


year? 


A. Three times per year. 


Q. And what kind of 


a Form 10-0? 


A. The main item is 


for that given period of 


QO. Can we contrast a 


A. Yes, sir. So simil 


annual filing. 


data for the previous fiscal 


their 


financial data, 


time. 


10-Q with a Form 10-K? 


lar type of data, 


year. 


And what type of data goes into the 10-K? 


Similarly, 


So far, 


10-Q for quarterly, 


10-K 


for annual? 


Yes, sir. 


Total of four per year? 


Correct. 


Can 


Yeah. Outside of those periodic filings that a 


£ 


has to file, if 


add to that mix the 8-K? 


a material fact were to come to play 


company, they also have 


their performance or something that's 


O-. In the real world, 


SEC, typically something that has 


a requirement 


happening. 


what kinds of 


filing of an 8-K with the SEC? 


2-82 


information goes into a quarterly report, 


their performance 


but a 10-K is an 


It's when a company is announcing their annual 


the financial data for that given period. 


company 


for that 


to file that with the 


material relevance to 


things result in the 
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1. A. Very commonly, we'll see press releases. Companies will 

2 file their earnings releases. AS an example, if a company were 
Si to change a CEO or something of that nature materially, they 

4 would have to report it. 

5 Q. How about an acquisition or a sale of a company's 

6 division? 


i A. Absolutely. 


8 : Big things in the life of the company? 


9 : Yes, sir. 


11:42 10 Q. There's one other term I wanted to ask you about, which is 
11 an Exhibit 99. What is that? 


12 A. Typically found within an 8-K. An 8-K really is kind of a 


£ 


13 shell of a document. It's three or 


our pages. The exhibit 


£ 


14 really contains the material facts of what the company is 


15 announcing. 


16 Q. So what's the difference between the 8-K and the 


17 Exhibit 99? 


18 A. The exhibit's really where the information is, the 


19 substance is, for what the filing is. 


11:43 20 Q. And say there was a press release for whatever the company 


21 was announcing, would that be in the 8-K, or would that be in 
22 the exhibit? 

23 A. That would be in the exhibit. 

24 Q. And the exhibit, fair to say, is an attachment to the 8-K? 


25 A. Yes, sir. 
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2-84 


1 ‘ What's your title at Toppan Merrill? 


2 : Senior director of client services. 


3 : Did you have that role in 2019 and, let's say, 2020 up to 


4 about COVID? 


5 A. My title the role would have been the same. My title 


6 would have been director. I was promoted since. 


. Q. And in that same time window —- I'll keep my questions to 


8 2019 and early 2020 -- what did you do as a director of client 


9 services? 


11:43 10 A. I was responsible for managing project managers. My 


11 project managing team were responsible for working directly 


12 with the client. My team would work with that client on their 


13 EC filings, helping them getting from start to finish. 


14 : You were a supervisor? 


15 : Yes, sir. 


16 : Before Toppan Merrill files 10-Qs, 10-Ks, 8-Ks, 


17 Exhibit 99s with the SEC, how does Toppan Merrill treat that 


18 client information? 


19 A. Very confidentially. 

11:44 20 Q. Are there policies around confidentiality at Toppan 
21 Merrill? 
22 A. Yes, sir. 
23 Oy. And what are they? 


24 A. They range from having secure logins. We have training 


25 yearly on reminders of safety and security, confidentiality, 
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i and just some of the legal things related to it. 


2 Q. Why, aS a manager, do you have those policies? 
3 A. To emphasize with our team regularly that it is -- our 


4 clients' data is the most important asset we have, really. 


5 Q. And when Toppan Merrill is holding that information 


£ 


6 its clients, is the public aware of that information? 


7 A. No, sir. 


8 Q. What is the name of the system that Toppan Merrill used to 


9 hold this confidential information? 


11:45 10 A. The name's Toppan Merrill Bridge. Most people will call 


1] it Bridge for short. 


12 Q. In your role as a manager in 2019 and 2020, did you access 


13 Bridge to handle your clients' filing needs? 


14 A. Me personally, no. 


15 Q. How is Bridge organized? First of all, how does one get 


16 access to it? 


17 A. So to get access to Bridge, you have to have a login and 


18 password credentials. 


19 Ox And if you were to go -—- maybe paint a visual picture for 
11:45 20 the jury -- you use your username, you use your password, you 


21 hit enter, what pops up? 


22 A. As a person in my role, I would have access to all clients 


23 that we do business for, whereas a client would have access 


24 only to their personal information. 


25 : Lf you wanted to see -- I don't know if 
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1 client, but if you wanted to see IBM, what would you do? 


2 A. I would log in using my credentials. There's a search 


3 bar. I would type in the entity's name and go to that entity's 


4 information. 


5 Q. How often did you personally use Bridge to access client 


6 data before it was filed with the SEC? 


7 A. Very infrequently. 


8 Q. How often did you access Exhibit 99s, those 8-K-related 


9 documents, before it was filed? 


11:46 10 A. Equally infrequently. 


11 Q. What percentage of your job would you say was accessing 


12 client data in the Bridge system before it was filed? 


13 : Less than 2 percent. 


14 : What were your work hours pre-COVID? 


£ 


15 : I typically was working in the office 


16 : p.m. Central. 
17 ‘ When you say "in the office," where was that? 


18 : Saint Paul, Minnesota. 


19 : And did you work off-hours in that time period? 


11:47 20 : would work more in a consultative perspective. 


21 nember of my team needed help, they would call me or 


22 I have -- I manage three shifts around the clock, so 
23 get a call at any time. 
24 Q. When you were supporting teammates in that way off-hours, 


25 were you at home? 
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2-87 


al : Yes, sir. 


2 ‘ How often did you access the Bridge system from home to 


3 a teammate? 


4 ‘ I don't recall doing so. 


5 : Before COVID, did you travel regular] 


6 : Maybe once or twice that I can recall. 


7 ; When you were away from the St. Paul area, did you access 


8 the Bridge system in a consultative capacity? 


9 A. Not that I recall. 


11:48 10 Q. When you did access Bridge, how did you do so, what kind 


11 of machine? 


12 ; I would use my personal laptop assigned by the company, 


13 I would log in with my credentials. 


14 ; That's a piece of Toppan Merrill equipment that they own? 


15 : Yes, sir. 


16 ‘ Do you know the machine number that's associated with your 


17 laptop? 


18 : I would recognize it if I saw it. 


19 : Do you know what letters it begins with? 
11:48 20 ; NA. 


21 : What is your username on the Toppan Merrill network? 


22 : It's gonna be first name, last name @toppanmerrill.com, so 


23 benjaminoliver@toppanmerrill.com. 


24 Q. Do you use B Oliver or Ben O or anything like that? 


25 A. It's different if I'm logging onto the network. Where 
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1 logging into the Bridge system, it's 


2 benjaminoliver@toppanmerrill.com. 


3 : Do you recognize the machine name USLE 


4 . I do not, sir. 


5 : Do you know what a virtual private network is? 


6 : I do. 


7 : How would you explain it to the jury? 


8 : In our capacity, if we have to log onto our network, we 


9 would use a VPN system to, I guess, create a pipeline that 


11:49 10 allows us onto our network to access network-related 


1] i ormation. 


12 : Is that something that the company, Toppan Merrill, gives 


13 to you, or do you have to go out and find your own virtual 


14 private network? 


15 A. It's company provided. 


16 Q. Are you familiar with virtual private networks that you 


ay can rent on your own, that the company doesn't give you? 


18 MR. FERNICH: Objection. 


19 THE COURT: Sustained. 


11:49 20 Q. Do you use virtual private networks, other than the 
21 company's virtual private network, to log onto the Bridge 
22 system? 


23 A. No, sir. 


24 Q. Have you ever heard of AirVPN? 


25 A. No, sir. 
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al MR. FERNICH: Objection. 


2 THE COURT: Overruled. 
i) ‘ Have you ever used AirVPN to log onto the Bridge network? 


4 ; No, sir. 


5 : I'd like to ask you a few questions about some specifi 


6 employees at Toppan Merrill. 


7 Do you know the name Arthur Smallman? 


8 : I do. 


9 A Who is Mr. Smallman? 


11:50 10 : Arthur's a senior project manager who reports directly to 


12 ‘ How about May Vang? 


13 : She works as a doc specialist and reports directly to me. 


14 : What's a doc specialist? 


15 : Doc specialists are a little different than a project 


£ 


16 manager. If a client asks for speci 


£ 


ic help within their 


17 document, the doc specialist would assist in that. 


18 on What kind of help? 


19 Ax Formatting, something doesn't align right, they want it to 
11:50 20 look different in HTML than the way it currently looks, if 

21 they're setting up a new table and would rather have our 

22 assistance than doing it themselves. 


£ 


23 QO. Form rather than content; fair to say? 


24 A. Absolutely. 


25 Q. Who's George Zangara? 


11:51 10 


11:51 20 


21 


22 


23 


24 


25 


Case 1:2 


A. 


meani 
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He's a senior project manager and reports indirectly to 


And Leah Anderson? 


Is a project manager, reports to me. 


Were all these employees in 2019 and early 2020 employees 


access to the Bridge system? 


Yes, sir. 


Did these employees work off-hours? 


How did they generally work? Let me ask that. 


Sure. So all the names you mentioned work day shifts, 


ing 7:00 to 3:30, or thereabouts, Central. We do have a 


week] 


ly rotation whereby a project manager would then 


potentially work remotely over the weekend to cover our client 


needs. 


A. 


So Monday through Friday, if Mr. Smallman works 7:00 to 


say, and there were a client issue, what happens at 5:00? 


Our second shift, who comes on, say, 2:00 to 10:30 


Central, would take care of that. 


Q. 


need 


And then at 2:00 in the morning, if there were an urgent 


for help from Toppan Merrill, would Mr. Smallman have to 


handle that during the week? 


No, sir. We have a third shift. 


So it's really a 24/7 operation? 


It's a 24-by-5 with weekend on call coverage. 


And other than when they're on weekend call, do 
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1 employees access the Bridge system from home? 


Z : No, sir. 


3 ‘ Do you know of Behm? 


4 : I do. 


bs s B-e-h-m? 


6 : Yes, sir. 
. : Who is Ms. Behm? 
8 : Rayna is a business analyst. She collects development 


9 requirements for our proprietary workflow system. 


11:52 10 . I'm not sure what that meant, but I'll ask you whether she 


11 the Bridge system? 


12 ; She does not. 


13 : Do you know a Jerome Taylor? 


14 : I'm familiar with the name but not the individual. 


15 , Is he a Toppan Merrill employee? 


16 : Yes, sir. 


17 ‘ Let me show you Government's Exhibit 73 in evidence. 


18 Directing you to Column D, do you see your username in 


19 Column D, like David? 
11:52 20 ‘ Yes, sir. 


21 : Could you read it aloud for the jury? 


22 : benjaminoliver@toppanmerrill.com. 


23 : And Ms. Lewis will help with this, but can you -—- with 


24 reference to the time stamp in Column A, can you give us the 


25 date range of entries in Exhibit 73, starting at the top? 
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al : 2019, October 14th. 
2 ‘ Going down to... 


3 < 2020, January 16th. 


4 . Can I take you, with Ms. Lewis's help, back to the 


bs seven rows. 


6 Do you see reference to the company named Citi Group? 


7 : Yes, sir. 


8 ; Do you see reference in Column E to documents 


9 template 6-K, Exhibit. 99,2,. and EX_99? 


11:53 10 THE COURT: You're going too fast. 


11 MR. KOSTO: Let me slow down. Thank you, Your Honor. 


12 : Do you see reference to C_template_8-K? 


13 : Yes, sir. 


14 : Do you see ference, two rows down, to EX_99.2? 


iS) : I do. 


16 : Do you see ference to ] 
17 : Yes, sir. 


18 : Are all those in relation to Citi Group in Column C? 


19 Yes, sir. 


11:54 20 : Looking at that information, is that consistent with how 


21 you use the Bridge system in your job? 
22 A. No, sir. 


23 Oy. Why do you say that? 


24 A. Typically, I'm used in a consultative manner. A client or 


25 an employee typically will come to me and say, Ben, can you 


11:54 10 
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help me understand this item in this document? In which case, 


I may launch that document —-- in this case, I'll just use the 


template 8-K as an example. JI would look, I would guide them 


as to what 


What 


see and what to do. 


see here is someone accessed the template 8-K -- 


MR. 


correct? 


Objection. 


Well, this is -—- 


is is your user account, Mr. Oliver, 


Yep. Uh-huh. 


He can't interpret the 


T'll allow whether or not you would use 


ITNESS: I wouldn't. Typically, 


MR. 


‘ERNICH: Objection. 


COURT: What's the next question? 


KOSTO: Let me ask you to look at Column A for 


rows 2 through 8. 


11:55 20 


21 


22 


23 


24 


25 


do. 


Do you see it there? 


What time is reflected on Column A for October 14th? 


9:13 a.m. 


Through what time? 


9:20 a.m. 


11:55 10 


11:56 20 


21 


22 
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weekends, 


A. 


Q. 


2-94 


Yes; sir. 


I do not. 


You do not? 


Do not. 


Do you see the reference to Z in the column? 


Do you know what that means? 


What time do you usually work for Toppan Merrill, not on 


and in the Bridge system? 


7:00 to 5:30 Central. 


Do you make a habit of working at 3:00 and 4:00 in the 


morning on the Bridge system? 


A. 


MR. KOSTO: 


Ms. Lewis. 


Q. 


She' 


Can I ask you 


11 scroll from 


recognize —- 


then 


Q. 


A. 


in looking at it, 


MR. KOSTO: 


to look at the machine name in Col 


I do not recall doing so. 


Tf you could take us to Column G, 


top to bottom. And I'll ask you 


Could you go back up there? Pause and 


continue. And continue. 


In Column G, do you recognize any machine names? 


Yeah, I'm really seeing two. One begins with an NA that, 


23 


24 


25 


USLEI 


Q. 


A. 


DGE. 


No, sir. 


Do you recognize USLE 


appears to be my computer. And one named 
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1 MR. KOSTO: 1 could ask Ms. Lewis to sort on the 


2 NA500244 username for a second. 


3 Q. Do you see that all these entries now concern that machine 
4 name, Mr. Oliver? 


5 A. Yes, sir. 


6 MR. KOSTO: And can I ask Ms. Lewis to bring us over 


7 to Column E. 


8 ‘ Do you see the documents referenced here? 


9 : L-dO. 


11:57 10 : Is that consistent with how you used the Bridge system? 
11 : Yes, sir. 


12 ‘ Why do you say that? 


13 : In these instances, I'm opening one file in the whole 


14 filing submission. So an employee of mine would have asked me 


LS something specifically, and I would have gone specifically to 


16 that file. 


17 Q. Would you, in using the Bridge system, open one file after 


18 another after another after another to get at something? 


19 A. No, sir. 


11:57 20 Q. Let me show you Government's Exhibit 75, please. 


21 MR. KOSTO: If we could go to the top, Ms. Lewis. 


22 : And I'll ask you if you recognize any usernames there? 


23 : I see my username. 


24 MR. KOSTO: If Ms. Lewis could scroll a little bit. 


25 : T'll ask you to tell us "stop" when you see another 


11:58 10 


11:58 20 


21 


22 


23 


24 


25 
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username. 


A. 


Q. 


Stop. 


Before I go on, did you ordinarily have that many 


interactions with the Bridge network in your work? 


No, sir. 
What name appears below yours? 
George Zangara. 


Is he an employee of yours? 


Indirectly, he is. 


Does he use a USLEDGE machine? 


No, sir. 


Do you and he both use the same laptop to access Toppan 


Merrill's Bridge system? 


A. 


No, sir. 


Do you see Ms. Vang's name there, May Vang? 


I do. 


Is she an employee of yours? 


Yes, sir. 


Does she use a machine in USLEDGE to access Toppan 


Merrill's system? 


A. 


Q. 


No, sir. 


Do you and she share a computer to access Toppan Merrill's 


system? 


A. 


No, sir. 


MR. KOSTO: No further questions, Your Honor. 
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1 THE CLERK: Are you using the document camera at all? 


2 . FE CH: We may use 73, but that's it. 


3 ERK: All right. I'll switch it over just in 


5 CROSS-EXAM 


6 BY MR. FERNICH: 


7 QO. Good morning, Mr. Oliver. My name is Fernich and I 
8 lawyer for Mr. Klyushin. 
9 We don't know each other, do we, sir? 

11:59 10 : No, sir. 


11 ; We've never met or spoken? 


12 ‘ No, sir. 

13 : last spoke with the government on January 6th? 

14 : No, sir. 

15 : No? You didn't speak with the government on January 6th 


16 of this year? 


17 : That was not the last time I spoke with the government. 


18 ‘ Oh, you spoke with the government since January 6th? 


19 Yes, sir. 
12:00 20 : When was the last time you spoke with the government? 


21 : Last night. 


22 : Last night. 
23 And whom did you speak to from the government? 
24 ‘ Seth. 


25 : You spoke to one of the prosecutors in this case? 
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al A. Yes, sir. 
2 Q. Right. And he asked you some questions and you gave some 
3 answers? 


4 A. Yes, sir. 


5 Q. And that was all in preparation for your testimony here 


6 today, yes? 


i : I would say, yes. 


9 Now, you told us that you worked for Toppan Merrill or its 


12:00 10 predecessor since 2011; is that correct? 
11 : Yes, sir. 

12 ‘ And that's about twelve years? 

13 : Yes, sir. 


14 ; And obviously, you're still working there now, right? 


15 : Correct. 


16 : Okay. Now, turning back to the period 2019 through '20, 


LS) you told us that Toppan Merrill handled sensitive financial 


18 information; fair to say? 


19 ; Yes, sir. 


12:00 20 : And you also told us that it was very important to keep 


21 information confidential; am I right? 


22 2 That's correct. 


23 F And you worked at an office in Saint Paul, Minnesota; is 


24 correct? 


25 . That's correct. 
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i Q. You had the ability to work remotely, yes, the ability to 
2 do so? 


3 : ability, yes. 


4 . . And the ability to work from home, if you wanted to 


5 Lf you were told to, correct? 
6 A. Correct. 
7 Q. And you were using a Toppan Merrill laptop back at that 
8 time; is that right? 
9 A. That's correct. 
12:01 10 on And you would take the laptop home on weekends when you 


dad. were on call? 


12 A. In my role, I wasn't on call. 
13 Q. You were not taking a laptop home on weekends before you 


14 became a director, for example? 


15 : time you suggested, I'm the director. 


16 ‘ . And you never took the laptop home on weekends, you 


A} weren't one of the people on call? 


18 A. I was not on call, sir. 


19 Q. Okay. But the employees who worked under you, they were 
12:01 20 on call, you told us, sometimes, correct? 


21 A. That is correct. 


22 Q. And they would take laptops home when they were on call, 


23 if you know? 


24 A. I would say that's fair to say. 


25 Q. Okay. And you could access Toppan Merrill's computer 
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1 system through any WiFi connection; is that correct? If one 


2 were remote, a TM employee. It's a bad question. I'm sorry. 

3 A. Can you rephrase that or restate it? 

4 QO. Sure. A TM employee who was working remotely could access 
5 the computer system through any WiFi connection; is that 

6 correct? 


7 A. That's correct. 


8 : A Starbucks, for example? 
9 : That's correct. 


12:02 10 : A McDonald's? 


Ad. : That's correct. 


12 : Right. Okay. Fair enough. 


13 And you could access Toppan Merrill's Bridge system, you 


14 1 us, by entering a simple username and password pair; is 


15 1 correct? 


16 : That's correct. 


17 ; You know what multifactor authentication is? 


18 : I do. 


19 : There was no multifactor authentication system in place 


12:02 20 in 2019 through early '20 at TM, was there? 


21 : On the Bridge system, I don't recall. 
22 ‘ ight. And that's even though you told us that it was 


23 very important to maintain a secure environment? On direct, 


24 you told us that, right? 


25 A. Can you restate the question? 
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i Q. Yes. On direct, you told us that it was very important to 


2 have secure log-in credentials, correct? 


3 A. That's correct. 


4 ‘ Because you were dealing with highly sensitive 


5 fidential information, correct? 


6 : Correct. 


7 ; Okay. And in fact, you know that Toppan Merrill didn't 


8 le multifactor authentication for administrative users 


9 lL late June of 2020; is that correct? 


12:03 10 - I wouldn't know the date or time. 


‘lal Q. You don't disagree with me if I make that representation 
12 to you, do you? 

13 MR. KOSTO: Objection. 

14 . Sound about right, June 2020? 


15 THE COURT: Just could you state the full question 


Ly . FERNICH: Sure. 


18 Q. You don't disagree that TM didn't enable multifactor 


19 authentication until around late June of 2020? 


12:03 20 MR. KOSTO: Objection. He stated he did not. 


21 THE COURT: Overruled. 


22 A. I don't know what the time frame was. 


23 OC. Okay. But for sure, as you told us a moment ago, there 


24 was no multifactor authentication as early as, say, January 


25 2020, right? 
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al A. I don't believe there was. 


2 Q. Okay. And, sir, like many of us, you had a LinkedI 


3 account back around 2019 through '20? 


4 A. Yes, sir. 


5 Q. Did you use the same password for your LinkedIn account as 


6 any other email account you may have had? 


7 A. I don't recall, sir. 


8 Q. You don't recall. Fair enough. 


9 Do you recall that LinkedIn suffered a widely reported 


wy 


12:04 10 data breach just a few years ago? Are you aware of that? 


11 MR. KOSTO: Objection. 
12 THE COURT: Do you know one way or another? 


13 THE WITNESS: I don't. 


14 ‘ Fair enough. 


15 Back in 2019 through '20, Toppan Merrill had about 3,000 


16 employees worldwide, yes? 


17 : I'm not sure, sir. 


18 ; Okay. Does that number sound correct to you? 


19 ‘ I don't know, sir. 


12:04 20 : Okay. Fair enough. 


21 But you know that some 50 employees had administrator 
22 access to the computer system in your group alone; isn't that 
23 right? 


24 A. I don't have 50 employees or ever have, so... 


25 Q. In your group —- if somebody were to characterize your 
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1 group, have you ever heard the phrase "your group" bet 


2 : I haven't, sir. 


3 ‘ Do you know what administrator access means? 


4 : I do. 


bs F What does that mean? 


6 ; An administrator access would have the ability to view all 


i accounts under the Bridge system. It would also have the 


8 ability to create, delete user accounts or new accounts. 


9 Q. Uh-huh. Did you have administrators with access 


12:05 10 associated with your client services team? 
11 : Yes, sir. 
12 : How many of those did you have, would you say? 


13 : Twenty. 


14 . Twenty? 
15 : Approximately. 


16 ‘ Okay. Twenty with administrative access. Fair enough. 


17 And you supervised roughly 12 employees on the client 


18 services team; is that right? 


19 A. That sounds right during that time frame. 


12:06 20 Q. Okay. And as you told us a moment ago, these -—- I guess 


21 it was 20 administrators, they had broad access to any company 


22 using the Bridge system, data on any company using the Bridge 
23 system? 
24 A. Can you define "broad access"? 


25 Q. Strike "broad." 
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1 They had access to information on any company using the 


2 Bridge system, the administrators? 


3 A. That's correct. 


4 Q. Okay. And is it fair to say that some of your team 
5 members used more than one log-in credential, more than one 


6 log-in identity? 


7 A. In the '19 to '20 time 


8 Q. Yeah. 
9 A. That's correct. 


12:06 10 O. Okay. And team members could set up their other second 


1] log-in ID? 


12 A. Administrators could, yes. 


13 Q. Administrators could. 


14 And what about a third log-in? Was it generally just two 


is) when we say more than one, or could they have three, four 


16 log-in IDs? 


17 A. I'm only aware that anyone ever had two. 


18 Q. Okay. And some TM employees, they also had Hotmail 


19 accounts associated with their Toppan Merrill Bridge accounts; 


12:07 20 is that correct? 


21 A. That's possible. 


22 Q. Well, weren't you one of the employees who had a Hotmail 


23 address associated with your TM Bridge account? 


24 A. I don't believe so, sir. 


25 Q. Okay. What about —-- well, it certainly wasn't unusual, 
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1 t, for a TM employee to have a Hotmail account associated 


2 the Bridge account? 


Si MR. KOSTO: Objection. 
4 THE COURT: Do you know? 


5 THE WITNESS: I wouldn't say it's unusual, but 


6 wouldn't say it's usual. 


7 : It wouldn't surprise you if that were true, correct? 


8 ‘ I guess it wouldn't surprise me. 


9 Q. Right. In fact, one of your own team members used a 


£ 


12:07 10 Hotmail account for work purposes; isn't that correct? 


Li A. I'm not sure, sir. 


12 Q. Well, what about Arthur Smallman, did he have a Hotmail 


13 address that he used for work purposes? 


14 A. I don't know, sir. 


is) Q. You don't know. 


16 MR. FERNICH: Tim, could we put up 73 in evidence. 


Ay Let's stroll to the top. I'm sorry. 


18 THE COURT: Are we going to take a stroll? 


19 MR. FERNICH: I made a mistake. 


12:08 20 Tim, try 75 in evidence instead. 


21 But wouldn't mind taking a stroll. 


22 Q. Mr. Oliver, looking at Column C, lines 1 through 10, can 


23 you read the email address listed there? It appears to be an 
24 email address. 


25 A. ajs1l223@hotmail.com. 


12:09 10 


12:09 20 


21 


22 


23 


24 


25 
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That address, is that familiar to you? 


No, sir. 


Q. ajs, 


a middle i 
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what was Arthur -- do you know if Arthur Smallman had 


nitial? 


A. I don't, sir. 


Q. Okay. 


Sir, 


Fair 


do you remember reading a few years back about a 


enough. 


major data breach that Hotmail suffered? 


A. No, sir. 


MR. KOSTO: Objection. Relevance. 


THE COURT: He answered "no." 


QO. And, 


could also access the Bridge system; 


Yes, 


Sir, be 


sir. 


sides Toppan Merrill employees, 


T™ clients 


is that correct? 


About how many clients did TM have back in 2019 through 


More 


Yes, 


More 


if you know? 


than a 


that's 


than a 


can't say, 


Yes, 


Okay. 


Definitely m 


sir. 


Fair 


I don't know, sir. 


hundred? 


fair. 
thousand? 
sir. 


ore than a hundred, though? 


enough. 


MR. FERN 


CH: Tim, can you put up 73 in 


evidence, 
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al please. Can you scroll down, please, Tim, to lines 55 through 


2 D1 


3 Q. Mr. Oliver, looking at 55 through 57 in Column A, can you 
4 tell us the dates of those entries, please? 


5 A. 2019, October 16th. 


6 MR. FERNICH: And, Tim, can you move it over to 


7 Columns AB, AC, and AD. 


8 : Do you see those locations there in Columns AB, AC, and 


12:10 10 : Yes, sir. 


11 ; Can you read those for the jury, please? 


12 : In AB is Prague. AC is -- I'm sorry. I'll mess this up. 


13 Q. Yeah. And the country, if that's what it is, the next —- 


14 Praha. Do you know what Praha is? 


15 A. Never heard of it, sir. 


16 Q. Okay. Fair enough. 
Ly And the next word after Praha? 


18 2 Czechia. 


19 : Czechia. Okay, good enough. 


12:11 20 And the government, they didn't show you AB, AC and AD 


21 ask you about those columns on direct examination, did they? 
22 You don't remember that? 
23 A. No, sir. 


24 Q. Okay. 


25 MR. FE CH: Tim, can you scroll it over to the lef 
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A a bit, the same columns. Keep going, keep going, keep going. 


2 All right. You can stop at D and E. 


3 ‘ Looking at lines 56 and 57, the { digits in 56 and 57, 


4 are those? Can you read those? 


5 : What column, sir? 


6 ‘ I'm sorry. D and E, at the very end. Do you see where it 
7 "X" there? 


8 . Oh. 


9 : BM slash -- 


12:11 10 2 EX99_1. 


11 : Is that the 99 that you were talking about on direct, the 


12 Exhibit 99 that you were talking about on direct, do you know? 
13 A. That would be common, yes. 


14 Q. 


15 And that Exhibit 99, typically, as you told us on direct, 
16 includes material facts like company announcements, yes? 


17 A. It can, yes. 


18 QO. It can. 


19 And sometimes it includes press releases? 


12:12 20 2 Correct. 


21 : Okay. Good enough. 


22 MR. FERNICH: Tim, 61 through 63, please. 


23 ; And the dates on those, sir, if you could give it to us? 


24 MR. FERNICH: Tim, you have to move it all the way to 


25 ft. Very good. 


12:12 10 


12:13 20 


21 


22 


23 


24 


25 
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The dates on 61 


2019, October 18th. 


Okay. 


Can you read those 


the document column, 


Those are also 
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through 63? 


MR. FE CH: And let's move it back to AB, AC, and 


D, please. 


ions in those columns, please? 


B is Oslo. AC 


62 and 63. 


That's correct. 


Okay. 


through 73, please. 571. 


lo County. AD is Norway. 


‘ERNICH: And let's scroll it back all the way to 


the type of document column. There you 


Exhibit 99s, it appears? 


MR. FERNICH: And finally, let's take a look at 571 


move it over to the left, 


You were there. Beautiful. Let's 


past -- to A. 


QO. Sir, if you don't mind, the dates on those? 


2019, December 4th. 


Okay. 


and A 


QO. Sir; 


those columns? 


A. 


D. 


MR. FE CH: And, Tim, let's move it, again, A 


I was going to say, 


can you tell us the locations that seem to appear in 


It's a hard one, the first one. 


I'm going to blow it. 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 110 of 155 


2-110 


al. - I know. 


2 : Dietkon. 


3 : Phonetic will be all right. 


4 : n AB. AC is Zurich. AD is Switzerland. 


5 : Okay. Sir, can you take minute and look up and down -—-— 


6 MR. FERNICH: And, Tim, you can scroll it. 


7 On -—- and take as much time as you need, up and down 


8 Columns AB, AC, AD, and even AE. Go through it and take as 


9 much time as you want. I don't want to waste the jury's time. 


12:14 10 MR. FERNICH: You can go a little faster than that or 


11 we'll be here all day. 


12 Q. Sir, you don't see any reference to Russia anywhere in the 
13 entirety of that log in those columns, do you? 


14 A. I did not, sir. 


15 MR. FERNICH: Just a few more. We're almost done. 


16 Q. Now, as part of your job as senior director of client 
17 services, the company would be working with the -- not directly 


18 with the SEC, but it was working to ensure that the documents 


19 met regulatory requirements; is that correct? 

12:15 20 A. That is correct. 
21 Q. And people at TM -- maybe not yourself —- they would 
22 provide some proofreading services of the documents, yes? 
23 A. That is correct. 
24 Q. For formatting? 


25 A. Yes, sir. 


12:16 10 
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Q. And also, again, to ensure regulatory compliance; is that 


correct? 


A. Yes, sir. 


And in your experience, 


the 


ft reports, yes? 


Can you define "draft"? 


Well, let's ask it more direct 


The reports in the Bridge syst 


ultimately filed with the SEC? 


Yes, sir. 


Okay. Fair enough. 


alt a 


Bridge system, it contained 


tem could change before they 


Thank you very much. 


MR. FERNICH: No further questions. 


ED 


R 


ECT 


EXAM 


NAT 


BY MR. KOSTO: 


12:16 20 


21 


22 


Q. Good afternoon, again, 


Mr. 


Oliver. 


ON 


Mr. Fernich showed you 


a number of city and state and country pairs. Did you see 


that? 


A. Yes, sir. 


Yes, sir. 


information? 


23 


24 


25 


A. No, sir. 


In Exhibit 73; is that right? 


Do you have any idea about the accuracy of that 


Q. Do you have any idea where it came from? 


A. I do not. 
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formation? 


12:17 10 


or changes to documents on behalf 


do not. 


A. I did not. 


Do you have any idea whether it's a complete set of 


Did you use a machine labeled "USLI 
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EDGE" to engage in edits 


of clients? 


How do you know that? 


A. The only system 
computer, and it starts with an NA. 


MR. KOSTO: 


MR. 


THE COURT: 


12:17 20 


21 


22 


23 


24 


25 


F 


from here? 


ERNICH: 


No 


Just one or two. 


RECROSS—-EXAM 


BY MR. FERNICH: 


NAT 


I've used to access Bridge was my 


further questions, Your Honor. 


Do you want me to do 


From right there is good. 


ON 


Q. Sir, you don't know -—- with reference to Exhibit 73, you 


don't know i 


fF the government or the defense introduced that 


exhibit into evidence, 


A. I do not. 


MR. 


F 


ERNICH: 


THE COURT: Th 


Your next witn 


MR. KOSTO: Th 


Can 


give you 


do you? 


No further questions. 


ank you. You may step down. 


ess. 


e United States calls Daron Hartvigsen. 


some exhibit numbers? 


THE CLERK: Yes. 


12:19 10 
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MR. KOSTO: 71A, 71B, VIF, 71G, 711, 71IN, 71P, 71R. 


THE CLERK: Thank you. 


Sir, could you please stand and raise your right hand. 


DARON HARTVIGSEN, sworn 


THE COURT: I should ask -- I'm sorry. No objection? 


MR. NEMTSEV: No objection, Your Honor. 


THE COURT: All right. I'm sorry. Go ahead. 
(Exhibit Nos. 71A, 71B, 71F, 71G, 711, 71N, 71P, 71R 


in evidence. ) 


THE CLERK: Could you please state and spell your last 


the record. 


THE WITNESS: My last name is Hartvigsen, 


H-a-r-t-v-i-g-s-e-n. 


12:19 20 


21 


22 


23 


24 


25 


QO. Mr. 


MR. KOSTO: May I proceed, Your Honor? 


THE COURT: You may. 


DIRECT EXAM 


BY MR. KOSTO: 


Hartvigsen, go ahead and pull that microphone nice and 


close, and do your best to keep your voice up. 


What city do you work in, sir? 


Washington, D.C. 


And 


what field do you work in? 


Cyber security. 


Are 


you familiar with the term "incident response"? 


am. 
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i Q. What is incident response? 


2 A. It's an organized approach to respond to a cyber incident 
i or breach. 
4 Q. How long have you worked in the incident response area? 


5 ae About 25 years. 


6 Q. Going from oldest to newest, what is your professional 


7 experience in the area? 


8 A. Previously, I worked as a cybercrime investigator with the 


9 United States Air Force. And most recently, I've been 


12:19 10 supervising and leading incident response teams. 


11 Ox Go ahead and pull that microphone a little bit closer so 


12 we can hear you. 


13 z A little closer? Is that better? 


14 - I think that's better. 


15 . Okay. 


16 : Do you hold any professional certifications relevant to 


17 work in incident response? 


18 . I do. 


19 : What are they? 


12:20 20 ; I'm a certified digital media collector, a certificated 


21 forensic examiner, and a certified cybercrime investigator. 


22 QO. And what is a certified forensic examiner? 


23 A. That's a person who can take digital evidence and examine 


24 it in a forensically sound way. 


25 Q. Where do you work in December 2019 and January 2020? 
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1 : I worked for a company named Ankura. 


2 ‘ At that time, had Ankura been hired on behalf of a company 


3 lled Donnelley Financial Services -- or Donnelley Financial 


4 lutions? 
5 ‘ Yes. 
6 . Solutions, not Services, right? 


7 P Correct. Solutions. 


8 : What did you call it just in regular conversation? 


9 : We often called it DFIN. 


12:21 10 ‘ What was the problem at DFIN? 


11 : We were asked to look into an account that was suspected 


12 to be compromised. 


13 : What was your role in the Ankura engagement for | 


14 : I lead the incident response teams. 


15 z In a word or two, what was DFIN's business? 


16 : DFIN provided software solutions for public companies that 


17 needed to report their activities to regulators such as the 


18 SEC. 


19 Q. And which of DFIN's computer networks was the first area 


12:21 20 of concern for Ankura? 


AL A. That was ActiveDisclosure. 


22 - And what is ActiveDisclosure? How did that connect to 


23 DFIN's business? 


24 A. ActiveDisclosure is essentially software that enabled DFIN 


25 clients or companies to collaborate and house documents and the 
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al like that would enable them to report information to the SEC, 


2 as an example. 


3 on Where were the ActiveDisclosure computers located? 
4 A. Chicago and in the cloud. 


5 O- What, if any, problems did Ankura identify with the 


6 ActiveDisclosure software program? 


7 A. We identified activity -- unauthorized activity toa 
8 particular account. 
9 Q. And how did the investigation suggest that that 


12:22 10 unauthorized access was occurring? 


11 A. It was occurring from an IP address that was not normal 


12 for the account to come from. 


13 Q. Which user account was involved at the first part of 
14 investigation? 
15 A. Julie Soma's account. 


16 3 Who was she? 


17 : She was an implementation architect for DFI 


18 ‘ Do you know what that is? 


19 : It's a person that helps build client environments in 


12:23 20 ActiveDisclosure. 


21 Q. And as an implementation architect, what kind of 
22 permissions did she have on the system? 


23 A. She had broad access. So access to all the client 


24 information. 


25 OF What location where does she physically work? 
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1. A. Out of Washington state. 


2 Q. And where was Toppan Merrill's business headquartered —-— 


3 excuse me, DFIN's business headquartered? I misspoke. 


4 : DFIN is located in Chicago, Illinois. 


5 : Did Ankura look at Ms. Soma's company-issued computer? 
6 ; We did. 


7 : And were there any signs of unauthorized access on the 


8 physical computer itself? 


9 A. Not on her computer, no. 


12:23 10 THE COURT: By the way, I'm sort of -- what are you 
11 saying, Ankura? How do you spell that? 


12 THE WITNESS: Ankura, A-n-k-u-r-a, that's the name of 


13 the company I worked for at the time. 


14 THE COURT: That's the cyber security company? 


15 THE WITNESS: Ankura does a number of client support 


16 across a broad spectrum of industries, but cyber security is 


17 one, yes. 


18 Q. I won't ask you to name any competitors for context. 


19 What was the problem with Ms. Soma's account, if there was 
12:24 20 nothing on the computer itself? 


21 A. The username and password was being used to access 


22 ActiveDisclosure in an unauthorized fashion. 


23 ; Did you and your team interview Ms. Soma? 
24 : We did talk to her, yes. 


25 : And what did you talk to her about? General topics, 
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i what you said. 


2 A. Well, we were very interested in the times for which she 


3 normally would log into ActiveDisclosure, the normal area for 


4 which she would log in from, like her home ISP or whatnot. We 


5 were interested in understanding if some of the activity we saw 


6 on her account was something she recognized, those kinds of 
7 questions. 


8 Q. And what did the information you learned from -—- what did 


9 you do with the information that you learned from Ms. Soma 


12:25 10 about how she used her computer? 
11 A. Well, we took what we learned and then looked at the log 


12 information and identified what we thought was legitimate 


13 activity and what we thought was suspicious activity. 


14 Q. And how did you make that differentiation? 


15 A. We looked at IP addresses, time of access, things like 


16 user-agent strings —- 


LS) ; I pause you there for a second? 


18 : Sure. 


19 Q. We haven't heard that term before. What is a user-agent 
12:25 20 string? 


£ 


21 A. A user-agent string is an artifact that is stored by 


22 computers or logs that some people attribute it to, like, a 


£ 


23 fingerprint o 


a browser that is used to access a system. 


24 Q. So if I use Chrome, for example, would that generate one 


25 user-agent string? 
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al A. Correct. 


2 Q. And if I used Safari, would that have a slightly dif 


3 user-agent string? 


4 A. Exactly. 
5 Q. How would that help in analyzing the usage on Ms. Soma's 
6 accounts? 


i A. So we knew what user-agent strings Ms. Soma normally had, 


8 and then user-agent strings that were different than that were 


9 suspicious. 


12:26 10 Q. So you talked about user-agent strings. You talked about 


1] IP addresses and when she typically worked. Did you ask her 


12 questions about her use of virtual private networks? 


13 A. 


14 Q. And while we're on that subject, did DFIN offer its 


LS employees a virtual private network to connect to the 


16 ActiveDisclosure system? 


Ay A. DFIN had a corporate VPN that employees could use to 


18 access DFIN's systems. 


19 Q. Can you distinguish that from a private virtual private 
12:27 20 network? 


21 A. Yes. So a private virtual network is a connection between 


22 two computers or more that is intended to be private, that you 


23 can subscribe to or pay to. That's much different than the 


24 corporate DFIN VPNs. 


25 Q. And was the access that was of concern to Ankura over the 
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1 private VPNs or the DFIN corporate VPN? 


2 A. It was the private VPNs. 


3 Q. Did your investigation identify any other DFIN users whose 


4 accounts were suspected of being compromised? 


5 A. 
6 Q. Which? 
7 A. Well, as a result of our work on Soma's account, we 


8 identified that there was an account associated with Ms. Han 


9 that also had suspicious access. 
12:27 10 : Where did Ms. Han work physically? 
11 : Physically in Korea, South Korea. 
12 < How about Mr. —- well, any others? 
13 : Yes. 
14 ‘ Whom? 
15 : Mr. Lewis, Jason Lewis. 


16 : And where did he physically work? 


Ly : Out of Texas. 


18 : Do the names Emmaruth Gray and Asamnew Gebremarium and 


19 Noemi Oropez and Jennifer Heinzerling stick with you? 


12:28 20 A. Yes, those accounts also had suspicious activity. 


21 Q. And did you engage in the same kind of conversations and 


22 analysis with those employees that you did with Ms. Soma? 


23 A. Yes. 


24 Q. What kind of permissions did those other employees have, 


25 Han, Lewis, Gray? 


12:29 10 


12:29 20 


21 


22 


23 


24 


25 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 121 of 155 


A. Those users had broad access to client 


ActiveDisclosure. 


2-121 


information on 


©. And why, if at all, did Ankura flag these accounts as 


potentially compromised? 


A. Because they had similar IP addre 


SS aCCe€Sss, 


time of day, 


usage was not consistent with their normal course of business, 


and specifically VPN -- private VPN access. 


And where did Ankura find this evidence that it relied on? 


On logs. 


And what kind of information did 


So -- 


By way of 


example? 


IN's logs track? 


So DFIN's logs documented the time of connections, the 


user associated with that connection, 


the user account, the IP 


address that was a part of that connection, the user-agent 


string. 


Q. How about the commands accomplished over the user's 


account? 


Also documented commands, yes. 


And did the logs document what the user did while they 


in the net 


Yes. Wha 


So were Activel 


twork? 


t the user did on Active 


Disclosure, 


f volume are we talking here? 


yes. 


Disclosure's logs -- can you just give us an 


fF how big they were for the period you were looking at? 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 122 of 155 


2-122 


1 : Very large. Millions of lines, gigabytes of informat 


2 ‘ And did Ankura -—- how did Ankura go about narrowing 


3 information down? 

4 A. Well, we went with what we knew was good, and then what 
5 was suspicious. And so the connections that were suspicious, 
6 we investigated. 


7 Q. Covering what time period would you say your -—- what time 


8 period did your suspicions cover, as far as unauthorized 


9 access? 


12:30 10 A. So we had logs back to the 5th of February 2018, and all 


ala the way up until 20 August 2020. 


12 QO. And for Julie Soma's name in particular, how far forward 
13 did the logs go? 

14 : How far forward? 

15 : From when to when? Julie Soma specifically. 


16 ; From February of 2018 until January of 2020. 


17 : Mr. Hartvigsen, I'm going to take you through just a few 


18 of those entries, okay? 


19 A. Okay. 


12:31 20 Os Not all of the million. 


21 MR. KOSTO: Can we please have Exhibit 71A. 


22 . Do you see Exhibit 71A, Mr. Hartvigsen? 


23 : Yes, sir. 


24 : Do you have your glasses fired up? 


25 What is it? 
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1 : This is an example of a message field in a log. 


2 ‘ Part of a log? 


3 F Yes. 


4 ‘ And for which ActiveDisclosure user was this message 


5 ‘ This one is for rr52260, and that was Julie Soma. 


6 : And where do you see rr52260? 


7 3 On the fourth line down -- fifth line down. 


8 : Is there a date and time associated with this message? 
9 . There is. 
12:32 10 : What is it? 


11 : This is February 5th of 2018, and 7:16 and 50 seconds, 


12 we call Zulu Time. 


13 : Since you mentioned Zulu Time, what does that index to, 


14 where in the world is that? 


15 : London. 


16 : [f 7:16:50 is a London time, can you give us the 


17 approximate time on the West Coast of the United States? 


18 A. So on the West Coast, Pacific Time, that would be the 


19 night of the 4th, so 11:16 on the 4th, in the evening. 
12:32 20 Q. What, if anything, did that suggest to you when you were 


21 looking at this log in your investigation? 


22 A. It was inconsistent with Julie Soma's normal behavior. 


23 Q. What do the words "download.ASPX" on the second line of 


24 Exhibit 71A tell us? 


25 A. It tells us that there was a download action. 
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al: ; And what is a download? 


2 ‘ A file was requested and downloaded. 


3 : Does the message tell us what file? 


4 : It does. 


5 < What is it? 


6 : Exhibit99_1.docx. 


7 ; And does the message tell us what DFIN client's document 
8 was accessed? 


9 A. Yes. The source is Snap. 


12:33 10 Ou The series of digits in the last highlighted row, do you 


11 see it there, starting with 209? 


12 A. Yes. That's the IP address. 


13 Q. What IP address are you talking about? The judge was 
14 about to ask 
15 ‘ Oh. 


16 : —- what computer is that associated with? 


Ay : So that would be the computer -- the IP address associated 


18 with the computer where that document would have gone. 


19 ; So the IP address where the document ended up? 
12:33 20 : Yes. 


21 COURT: You mean the intruding computer? 


22 WITNESS: Well, this would be the unauthorized —-— 


23 COURT: The unauthorized computer. 


24 WITNESS: —- computer. 


25 COURT: Is that what you're saying that is? 


12:34 10 


12:34 20 


21 


22 


23 


24 


25 
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You're saying specifically that it's the IP address that 


Correct. 


and downloaded a document from DFIN? 


Okay. In the judge's words, "the unauthorized computer"? 


That's right. 


MR. KOSTO: Can we go to 71B, please. And we'll speed 


up. 


This is May 9th of 2018. 
What time? 
and 28 seconds. 


which user's account? 


Ms. Soma's. 


But what date is this message from? 


What was the action taken over the account? 


This was a download. 


Of what company's document and what document? 


What document? I'm sorry. 


What document and what client? 


The source was HZNP, and the document was 


HZNP_master.docx. 


Q. 


And can you tell the jury what 


went to? 


A. 


Q. 


That's 119.204.194.111. 


IP address the document 


And what time of day did this message occur, West Coast 
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1 United States? 


2 A. That would have been the evening of the 8th, at 11:48 at 
3 night. 
4 MR. KOSTO: Let's go to 71F, please. 


is Q. Just to move us along here, let me ask you, does this 


6 message come from DFIN's logs? 
7 F Yes. 
8 : And is it for the user Julie Soma? 


9 : Yes. 


12:35 10 . Does it reflect a download on October 22nd, 2018? 


Ved. ‘ Yes. 


12 ‘ At approximately 1:21 in the afternoon? 


13 : Yes. 


14 ; Does that correspond to overnight hours on the West Coast 


15 of the United States? 


16 : It does. It would be about 5:00 in the morning. 


17 : What was the company's information accessed here? 


18 : 99: 1.docx. 


19 ‘ And could you read the IP address that the download went 


12:36 20 
21 : 104.238.37.190. 


22 MR. KOSTO: Could we please go to Exhibit 71G. 


23 ; Is this another message from Ms. Soma's user log? 


24 : It is. 


25 ; And is this a document that went to 104.238.37.197? 
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al 7 Yes. 


2 : If you could combine these, what client and what document? 


3 ; Tesla Motors. And so that would be Olupdateletter.docx. 


4 ‘ Is there a 99 in front of that title? 


5 ‘ Oh, I'm sorry, yes. I missed the 99, correct. 


6 ‘ Fair to say the date and time was October 24th, 2018, at 

7 : and 31 seconds? 

8 : That's correct. 

9 : Without doing the exact math, is that overnight hours on 
12:37 10 the West Coast of the United States? 


11 A. Yes. That would be about 1:00 in the morning. 


12 MR. KOSTO: Let's go to 71I, please. 

13 : Another message from Ms. Soma's user log; is that right? 
14 : That's correct. 

LS , What client's information? 

16 : KSS. 

LS) : And what document? 


18 2 Exhibit99_1.docx. 


19 : Overnight hours on May 20th, 2019, on the West Coast of 


12:37 20 the United States? 


21 F Yes. 


22 - What IP address was it sent to? 


23 : 209.197.20.204. 


24 : Just a few more, Mr. Hartvigsen. I appreciate your 


25 patience. 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 128 of 155 


2-128 


al : Yes, sir. 


2 MR. KOSTO: Could we see 7I1N. 


2 : I'll ask you if this is a message from Ms. Soma's user 


6 : July 16th, 2019, at 6:38 in the morning, approximately? 
i . Yes. 


8 : Is that late in the evening, West Coast, United States? 


9 . It is. 
12:38 10 2 What's the client and what's the document? 


11 : The client source is Skechers, and the document is 


12 press_releaseSkechers.docx. 


13 : What IP address did this download go to? 


14 : 209.197.200.198. 


is) F Two more, Mr. Hartvigsen. 


16 MR. KOSTO: Exhibit 71P. 


17 : What client does this message concern? 


18 . KSS. 


19 F What document? 


12:38 20 : Exhibit99 _1.docx. 


21 : To which IP address did it go? 
22 : 64.42.179.59. 


23 : Is this a Ms. Soma user log? 


24 : It is. 


25 : And what month and year are we 
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al A. The month is November 15th, 2019. 

2 0:. Can you convert 13:33:34 to West Coast, United States 

3 time? 

4 A. Sure. That would be 5:33 and 34 seconds in the morning. 
5 Ow Okay. 


6 MR. KOSTO: 71R, please, Ms. Lewis. 


. : Can I have you read the username on this one? 


8 : Sure. It is rr146363. 


9 : Is that a change from the last series of messages we've 


12:39 10 looking at? 


11 : It is. 


12 ‘ Whose user log is this? 


13 : This is a user log associated with Ms. Han. 

14 ; And where did Ms. Han work? 

15 : South Korea. 

16 ‘ What was the company and the document downloaded here? 


Ly : Tesla Motors. 


18 . And the name of the document? 


19 F TSLA-10-K_master.docx. 


12:39 20 : And could you read the IP address that this document went 


21 to over Ms. Han's account? 


22 A. 199.249.223.130. 


23 : Do you recognize that IP address? 


24 < E.-dO% 


25 : Is it one that came up in the course of your 


12:40 10 


12:40 20 


21 


22 


23 


24 


25 
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investigation? 


Yes. 


Who's the provider for that address? 


AirVPN. 


And are you aware of how Ms. Han typically accessed 


ActiveDisclosure network? 


am. 


Did she use private VPNs? 


She used DFIN's VPN, normally. 


Once 


Ankura suspected unauthorized assess, for example, to 


Ms. Soma's account, did it take any steps, recommend anything 


to its cli 


lent? 


did. As soon as we confirmed unauthorized access, we 


recommended that that account get suspended. 


And did DFIN follow Ankura's advice there? 


Yes. 


Approximately when? 


January of 2020. 


Did DFIN also recommend the suspension of 


account when it discovered access like it saw? 


Yes. 


When 


did that take place? 


It was April of 2020. 


And Mr. Lewis, was that another name of an account where 
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1 : Yes. Jason Lewis's account, yes. 


2 . And what recommendation did DFIN make for -- or did Ankura 


3 for DFIN about that account? 


4 ‘ We recommended that account also get suspended. 


5 On Approximately what period -- and you may have said this -—- 


6 did the logs that you reviewed show suspected unauthorized 


7 access to DFIN's network? 


8 A. So February of 2018 until August of 2020. 


9 : Did Ankura's investigation reveal any other networks on 


12:41 10 DFIN's system that experienced unauthorized access? 
11 : Yes. 
12 ‘ And what system was that? 


13 : Active Directory. 


14 . That has the same letters, A 


15 : Yes. 


16 : ActiveDisclosure, if that's the software for the filing, 


17 what is Active Directory? 


18 A. Active Directory is essentially a database of usernames 


19 and passwords used by a network to allow users access to 
12:42 20 various resources on the network. 


21 Q. What did you find on the Active Directory area where 


22 usernames and passwords were stored? 
23 A. Unauthorized access. 


24 Q. What specifically? 


25 A. We found unauthorized entities acting as imposters or 
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i otherwise taking over accounts or making new accounts. 


2 Q. By the way, are you familiar with the concept of 
3 penetration testing? 

4 A. 

5 QO. In a word or two, what is it? 


6 : It is a test of a network to identify whether or not you 


7 can penetrate it or access it. 


8 Q. And in this 2018, 2019, 2020 time frame, had DFIN hired a 


9 firm like yours, or any others, to conduct penetration testing 


12:42 10 on its network? 


12 ‘ Did Ankura find any unauthorized software on DFIN-issued 


13 computers? 
14 A. We did. 


15 Q. And what's another name for unauthorized software? 


16 A. In this case, malware, malicious software. 


LS) ©. Where were the laptops that DFIN found -- or that Ankura 


18 found malware? 


19 A. London and Poland. 
12:43 20 Q. And what malware specifically was present on the London 


21 and Poland laptops? 


22 A. They were renamed versions of a program called PowerShell. 
23 Q. You said renamed? 
24 A. 


25 Q. What do you mean? 
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1 A. They were named something other than PowerShell to hide 

2 their presence. 

3 Q. And now that we've said "PowerShell" a couple times, what 
4 does PowerShell mean to you? 


5 A. Oh, PowerShell is a program that oftentimes administrators 


A og 


6 ill use to conduct routine functions, like ji 


a log source is 


7 tilling up, before it fills up, that PowerShell can be 


8 programmed to do that move on a recurring basis without 

9 somebody at the keyboard. 
12:44 10 Q.. So you wouldn't need to be at the keyboard of the machine 
Lal you were working on to access it? 
12 THE COURT: So what does it do, PowerShell? 


13 THE WITNESS: I'm sorry, ma'am? 


14 THE COURT: In plain English, what does it do? 


LS THE WITNESS: PowerShell is generally an administrator 


16 tool that is on -—- can be put on systems that allow functions 


ay to be automated, so a person doesn't have to be at a keyboard 


18 for it to do its work. You can program it to do its work -- 


19 THE COURT: So an administrator takes over someone 
12:44 20 else's computer? 


21 THE WITNESS: It can take over administrative 


22 tions in a network without somebody being at that computer. 


23 it can do things on somebody else's computer if you're -—- if 
24 that makes sense. 


25 THE COURT: So it's not malware? 
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al Q. What's the difference, Mr. Hartvigsen, between a 


2 PowerShell program PowerShell.exe and renamed PowerShell? 


3 A. So in this case, the renamed PowerShell was performing as 


4 malicious software because it was doing activities that were 


5 functions that DFIN had programmed it to do. 


6 : Did DFIN administrators run PowerShell under a different 


8 : DFIN administrators ran PowerShell under PowerShell. So 


9 if there was a legitimate reason for PowerShell to be used, it 
12:45 10 would have been named PowerShell. 
11 Q. So just one example, maybe, to illustrate this. You 
12 testified about logs, right? 


13 : Yes. 


14 . Logs 
15 : Yes. 
16 : Hundreds of thousands and thousands, right? At some 
ay point, does the computer run out of space? 


18 A. That's correct. 


19 QO: And can an administrator automate PowerShell to go in 


12:45 20 every day or every other day or every other week, grab those 


21 logs and either delete them or move them to somewhere else? 


22 A. 


£ 


23 O. And is that an example of something PowerShell can do in 


24 an automated fashion to administer the computer? 


25 A. Yes. 


12:46 10 


12:46 20 


21 


22 


23 


24 


25 
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Q. Okay. I'd like to ask you some questions about what 


PowerShell was doing on these laptops. Was it -- well, for 
starters, let's talk about the England laptop for a second. 
Okay. 


So it had PowerShell on it? 


It had a renamed version, yes. 


And what was the renamed version of PowerShell doing on 


the English laptop? What was it programmed to do automatically 
every time the machine booted up? 

A. So when it started up, it attempted to delete the logs 
associated with its activity, and then it -—- 

Q. Let me pause you there. 


A. Oh, sure. 


Q. Is deleting logs associated with PowerShell's activity, 


its own activity, something that DFIN would have PowerShell do? 
A. No. 


Q. What else did PowerShell do, this renamed PowerShell? 


A. In this case, it attempted to collect usernames and 


passwords from that system. 
And what else did PowerShell do? 


And then it connected to an external domain. 


Do you recall the name of the domain? 
investmentcomp.com. 


And did you also look at a computer -- well, was 


connecting to investmentcomp.com part of DFIN's usual use for 
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1 that computer? 

2 A. No. 

3 Q. And this is something PowerShell had it reaching out to 
4 every so often? 

5 A. Yes. 

6 Q. Now, you mentioned that there was PowerShell found on a 
7 computer in Poland as well; is that right? 


8 A. That's correct. 


9 Q. Was that regular PowerShell or renamed PowerShell? 


12:47 10 A. It was a renamed PowerShell. 


11 Q. And was renamed PowerShell something that DFI 
12 administrators had put on this machine? 

13 A. No. 

14 Q. And what was PowerShell configured to do, this renamed 


LS PowerShell configured to do, on the Polish computer? 


16 A. It was also set up to delete logs associated with its 


17 activity, collect usernames and passwords, and then connect to 


18 an external domain. 


19 F What was that domain? 


12:48 20 : finauditsolutions.com. 


21 : Did you say finauditsolutions.com? 


22 : Correct. 
23 : And were these things part of the typical usage for that 
24 computer? 


25 A. No. 
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al Q. What was the earliest date associated with the PowerShell 


2 activity on the Polish laptop? 


Si THE COURT: Well, can I just say, this Polish laptop, 


4 was that a DFIN laptop? 


5 THE WITNESS: Yes. 


6 ‘ Was there a DFIN employee in Poland who was using it? 


7 : Yes, correct. 


8 ‘ Or worked in Poland and had this laptop from DFI 


9 . DFIN has a presence in Poland. 


12:48 10 : But was it the Polish employee who was intentionally 


1] reaching out to finauditsolutions.com? 


12 : No. 
13 : Was it the Polish employee who was deleting the logs? 


14 : No. 


iS) MR. KOSTO: 1 could have one moment, Your Honor. 


16 Thank you, Mr. Frank. 


17 ©. What did you do with the domain names and the names of the 


18 Powershell renamed and the IP addresses associated with the 


19 activities on the Polish and English laptops? 


12:49 20 A. We incorporated those into our investigative observations. 
21 O. And did you provide them to law enforcement, through the 
22 client or otherwise? 


23 A. Can you repeat that? 


24 Q. Did you provide the domains to the FBI? 


25 A. I think DFIN's counsel did that, yes. 
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al MR. KOSTO: No further questions, Your Honor. 


2 Your Honor, may we approach briefly 


3 fore Mr. Nemtsev —- 
4 THE COURT: How long do you think you have, 


5 Mr. Nemtsev? 


6 MR. NEMTSEV: Twenty, 30 minutes. I don't think we'll 


7 make it by 1:00. 


8 THE COURT: So why don't you go for ten minutes, and 


9 ['ll deal with it at the break. Is it right now that you're 


12:50 10 going to be dealing with it? 


11 MR. NEMTSEV: don't think I'll make it to that 


12 portion. 


13 THE COURT: Okay. 


14 MR. KOSTO: Mr. Hartvigsen is in from out of town. 


15 we can finish him, the government would ask that we do so. 


16 Interruption.) 


A} THE COURT: We may need to have a break anyway. 


18 see you at sidebar. 


19 Why don't you stand and stretch. 


12:51 20 (SIDEBAR CONFERENCE AS FOLLOWS: 


21 THE COURT: Excuse me. We do not know why that juror 
22 just stepped out. 


23 MR. KOSTO: Oh, dear. 


24 THE CLERK: Judge, is it okay if one of the others 


25 steps out to use the restroom? 


12:52 10 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 139 of 155 


2-139 


THE COURT: Yes. We are only going to be going 


another ten or fifteen minutes anyway. 


THE CLERK: Go ahead. 


THE COURT: What's the issue? 


We're not going to finish. 


MR. NEMTSEV: No. 


MR. KOSTO: But we've just finished with 


Mr. Hartvigsen's exam. The government did not introduce any 


log information regarding geolocations 


ee 


or the reasons that we 


discussed this morning. So there's no 


Mr. Hartvigsen on geolocation. 


12:52 20 


21 


22 


23 


24 


25 


log information for 


anticipate, having talked with Mr. Nemtsev, that he 


wants to show the cities and states and offer them for the 


purpose of showing that the access 


THE COURT: Whose document is 


Te 2 


MR. KOSTO: Well, we haven't put the document 


if they're offering it, we object to it based on —- 


THE COURT: This is his document? 


MR. KOSTO: It's not his document. It's the company's 


log, and we're objecting to so much of 


it as was generated by 


Microsoft, and we're not offering it because, as Mr. Nemtsev 


said in his motions, it's not reliable 


information. 


THE COURT: T'll hear what he 


using it? 


MR. N 


has to say. You're not 


need to use it. They 
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i need to use it, Your Honor. They just put in 71A through G. 


2 They're excluding 71. They put in evidence of maybe three or 


Si four, five unauthorized intrusions. If they want to prove an 


4 unauthorized intrusion, they need the log files. 


5 MR. KOSTO: But they don't need the geolocation 


6 because it's not accurate. 


a THE COURT: I have to see what he has to say about. 


8 This whole thing is not about MaxMind, it's about Microsoft. 


9 MR. KOSTO: It's the same thing. 


12:53 10 THE COURT: Just as I said to them, please let me know 
‘lal in advance what the issue is. 


12 MR. FRANK: We just found out today, Judge. 


13 THE COURT: I'm going to let him ask a question and 


14 see what the guy says, but we're not going to finish today. 


15 MR. NEMTSEV: No, but can we admit the log files? 


16 THE COURT: No, I don't know if we can. I don't know 


17 if he knows anything about it. 


18 MR. NEMTSEV: He just testified for an hour about log 


19 files that he reviewed. 


12:53 20 THE COURT: Excuse me. I don't know if he knows 


21 anything about that information about geolocation. 


22 MR. NEMTSEV: No. No. 


23 THE COURT: Besides, it only covers part of it. Most 


24 it isn't even mentioned. You're going to put in information 


25 Boston, I assume. 
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i MR. FRANK: We're putting in information about IP 


2 addresses, which is logs, but the location -—- Microsoft's 


3 conclusion about where things come to, that geolocation data, 
4 that's precisely the same as the MaxMind data. 


5 THE COURT: I don't know that. You have to get me 


6 something that says that. That's just you saying it. 


a MR. KOSTO: But they are the proponent of the general 


8 location here. 


9 THE COURT: I've said what's sauce for the goose is 


12:54 10 for the gander. You have to live and die by that. So -- 


11 MR. KOSTO: When we proposed to offer this exact kind 


12 of information, the defense objected. 


13 THE COURT: Listen, it was this crooked company called 
14 MaxMind. 
iS) . FRANK: No, Judge. 


16 . KOSTO: Judge. 


Ly . FERNICH: That's not the crooked one. 


18 COURT: That's not the crooked one? Which is the 


19 crooked? 


12:54 20 : EMTS 


21 (Crosstalk. 


22 MR. FERNICH: MaxMind just makes it up. They're not 


23 


24 MR. KOSTO: Your Honor, this witness does not know -—- 


25 THE CLERK: Are we oKay? 
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alt THE CLERK: Yes, all good. 


2 MR. NEMTSEV: Somebody is raising their hand. 


3 QUESTION FROM JUROR (Is user agent string just 


4 Lfferent types of browsers?) 


5 . NEMTSEV: 'm not sure what that question is 


7 THE COURT: I don't understand it either. 


8 MR. KOSTO: I believe the question is asking whether 


9 the browser is the only thing that determines the user-agent 


12:55 10 string. I believe the witness would say there are things ot 
11 than the browser. So, for example, whether you're running 
12 Windows or Apple would also be something that comes-—— 


13 THE COURT: You can do it on redirect if you want. 


14 MR. NEMTSEV: don't understand the question. 


15 can't ask it. 
16 (END OF SIDEBAR CONFERENCE. ) 
17 THE COURT: We won't finish this witness today, so 


18 we'll go another five minutes. 


19 CROSS-EXAMINAT 


12:56 20 BY MR. NEMTSEV: 


21 Q. Good morning, Mr. Hartvigsen. Am I saying that correctly? 


22 A. Hartvigsen, yes. 


23 Q. My name is Max Nemtsev. I'm an attorney for Mr. Klyushin. 


24 Aside from a brief run-in in the elevator, you and I have never 


25 met today, correct? 
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al : We have not. 


2 . We've never spoken, correct? 


i : I'm sorry? 


4 ‘ You and I have never spoken; is that correct? 


5 : No, sir. 


6 ‘ You have spoken to the government, the FBI agents, and the 
7 prosecutors on several occasions; is that correct? 


8 A. That is correct. 


9 Q. And most recently was on January 6th, 2023, I believe; is 


12:57 10 that correct? 


Ad. A. That sounds accurate. 


12 Q. And at those meetings, one of the purposes for those 


13 meetings was to obtain information that you have, as well as to 


14 answer these agents' questions; is that correct? 


LS A. They were to orient me to how this would all work. 


16 Q. And they gave you the questions and solicited your 


17 responses for your testimony today; is that correct? 


18 A. I think we went over logs and other things. 


19 Q. And you've been part of the cyber security industry 1 
12:57 20 years; is that right? 
21 : Close to, yes. 
22 ‘ And right now, you're with a company called StoneTurn; is 
23 correct? 


24 


25 : fore that, you were with a company called Ankura; is 
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a. that correct? 


2 A. 


3 Q. And does StoneTurn offer approximately the same types of 
4 services as Ankura? 


5 A. Yes. 


6 : Do both of those services include penetration testing? 


7 : StoneTurn does not do penetration testing. 


8 ‘ But Ankura, another large cyber security vendor, they do; 


9 is that correct? 
12:58 10 A. Correct. 
11 Q. And are penetration testing offerings by cyber security 


12 companies common, to your knowledge, in the industry? 


14 ; I correct that you were first contacted by DFI 


15 following their receipt of a SEC subpoena? 


16 A. We were contacted by DFIN's we were engaged by DFI 


17 lawyers as a result of that, I believe, yes. 


18 O. So DFIN's attorneys reached out to Ankura and reached out 


19 to yourself to hire you to help them analyze these very 


12:58 20 enormous log files? 


21 A. Exactly. 


22 Q. Fair to say that you had a very large group of people 


23 working on this investigation from Ankura's side? 


24 A. We had a number of specialties working on the case, yes. 


25 Q. And how many people would you approximate worked on the 
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A investigation? 


2 A. Twelve routinely. 


3 O.. From different parts of the country? Any international 


4 ones, to your memory? 


6 : DFIN, to your knowledge, is a company that services 


£ 


7 confidential in 


ormation on behalf of publicly traded 


8 companies, amongst other businesses; is that correct? 
9 A. 


12:59 10 Q. And would you agree that excellent cyber security is a 


11 necessary component for companies like DFIN that hold such 


12 sensitive information? 


13 A. [ would agree that cyber security should be a 


14 consideration, sure. 


15 THE COURT: I can't even hear you. A lot of 


16 you're missing the mic. So please make 


17 THE WITNESS: Oh, I'm sorry. 


18 THE COURT: Remember, you're speaking to them as well, 


19 so we all need to hear you. 


01:00 20 THE WITNESS: Okay. Is that better? 


21 THE COURT: Yeah. 


22 : And DFIN had about 1,600 employees, to your knowledge? 


23 P I don't know. 


24 : Do you recall how many accounts in total had access to 


25 DFIN's systems? 
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al : I don't recall. 


2 . Greater than a hundred? 
3 F Yes, greater that a hundred, sure. 
4 ‘ Greater than a thousand, potentially? 


3 ‘ I don't recall. 


6 ‘ Did you study the security features that were enabled f 


7 DFIN in 2018 to 2020? 


8 : We responded to unauthorized access; as a result, were 


9 exposed to some of those security features. 


01:00 10 Q. Am I correct that the only thing that a user needed to do 


11 to gain access to DFIN's system is to enter a username and a 
12 password? 


13 A. For ActiveDisclosure, yes. 


14 Q. And ActiveDisclosure is primarily -- what you've reviewed, 


15 the log files that you reviewed came from that system; is that 
16 correct? 
17 A. 


18 Q. There was no two-factor authentication enabled; is that 


19 COrrecT? 


01:01 20 A. Not for ActiveDisclosure. 


21 Q. There weren't access restrictions, meaning you couldn't 


22 access it from a public IP; is that correct? 


23 A. I'm not sure I understand the question. 


24 Q. Meaning you didn't have to be in DFIN's office to access 


25 the ActiveDisclosure system; is that correct? 


01:02 10 
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have to be in DFIN's office. 


from home, you could work from a caf 


you could work from a Starbucks; is that correct? 


A. You could access it outside of DFIN's network, yes. 


O-. I believe you testified that your initial 


investigation was focused only on one employee by the name of 


Julia Soma? 


A. That's correct. 


Q. And as part of 


that investigation, did you obtain access 


to all of Ms. Soma's devices? 


A. We accessed her laptop that she used to conduct her 


business. 


Q. Did you access her phone as well? 


A. I don't recall. 


THE COURT 


MR. NEMTS 


EV: 


You need to finish up this line of -- 


Okay. 


Q. And you reviewed her computer, and you found no malware 


installed on her devices; is that correct? 


01:02 20 


21 


22 


23 


24 


25 


A. Correct. 


MR. 


THE CLI 


(Jury exits.) 


THE COURT: 


EV: 


Judge, I could continue this tomorrow. 


See you tomorrow morning, 9:00. Thank 


Thank you, sir. Could you stay on the 


01:04 10 
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stand just a couple more minutes? 


Ask him about that geolocation information. 


want to be doing this on the fly at sidebar. 


MR. 
MR. KOSTO: May 


THE COURT: 


N 


EMTS 


EV: Can 


MR. 


THE COURT: 


Which doc 


N 


EMTS 


EV: 


First, 


ask him? 


inguire, Your Honor? 


I want to show him the document and 


fF he knows anything about it. 


Could you please pull up that excerpt? 


Please be seated. 


ument are we looking at? 


MR. 


N 


[ believe 


EMTS 


EV: 


Tt. s: 70. 


MR. KOSTO: 71. 


MR. NEMTS! 


THE COURT: 


THE WI] 


THE COURT: 


01:04 20 


21 


22 


23 


24 


25 


BY MR. NEMTSEV: 


EV: 71. 


[TNESS: Yes. 


This is an excerpt from the one -- is it 


All right. Does that look familiar to 


So now, what do you want to ask him about? 


So this is just a small snippet of the millions of lines 


were produced by the AD system; is that correct? 


It appears so, yes. 


And this is what you relied on to determine whether 


Ms. Soma's account or somebody else's account may have been 


intruded upon; 


is that correct? 
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i MR. KOSTO: Objection. 


2 THE COURT: Overruled. 


3 MR. KOSTO: This log is dozens and dozens of columns 


4 long, and he's asked him, This is what you relied on, and 


bs showed him five columns. 
6 THE COURT: So you want the full breadth of all the 


7 columns? 


8 MR. KOSTO: If he's going to ask him about this log, 


9 he should show him all the columns. 
01:05 10 THE COURT: Yeah. Can you show him the whole spread 


11 of all the columns? 


12 MR. NEMTSEV: Show him the next page. 


13 It's just so lengthy, Judge, I split it by page from 


14 one to the other. 


15 THE COURT: I know, but you're going to ask him about 


16 only one column, right? 


17 . NEMTSEV: No, I'm going to ask him about several 


19 THE COURT: I'm not doing this as free-flowing 


01:05 20 discovery. I'm just trying to get to the geolocation issue. 


21 MR. NEMTSEV: Okay. Can we go down a little to the 


22 next page? No, next page. 


23 BY MR. NEMTSEV: 


24 Q. This column here. City name, continent code, continent 


25 code 2, country code, and the column a little bit further to 


01:05 10 


Case 1:21-cr-10104-PBS Document 181 Filed 02/06/23 Page 150 of 155 


the right. 


THE COURT: 


THE W 


ITNESS: 


THE COURT: 


formation? 


THE W 


ITNESS: 


THE COURT: 


THE W 
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THE COURT: 


2-150 


Are you familiar with those columns? 


am. 


You are? Okay. Did you generate that 


did not. 


£ 


Where did you get it from? 


These were already in the logs that we 


So do you know anything about how that 


information was generated? 


THE WI] 


[TNESS: 


It's my understanding that they come 


from Microsoft when the logs are produced. 


01:06 20 


21 


22 


23 


24 


25 


THE COURT: 


your certification, i 


Based on all your years of experience and 


s this the kind of information Microsoft 


provides? Do you know? 


THE WI] 


puts in there, 


[TNESS: 


don' 


THE COURT: 


THE WI] 


[TNESS: 


So I don't know -—- beyond what Microsof 


t know the source —-— 


can't hear you. 


I'm sorry. Aside from the fact that 


they come from Microsoft, I don't know the source beyond that. 


THE COURT: 


THE WI] 


[TNESS: 


THE COURT: 


THE WI] 


[TNESS: 


You don't know how they're generated? 
No. 


Do you know what it even is about? 


Oh, sure. It's location information 
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1 that is derived from the IP addresses that are in the logs. 


2 THE COURT: But is that the IP address that's 


Si intruding? Are those the intruders? 


4 THE WITNESS: It could be both, depending on -- 


5 THE COURT: What do you mean both? Both what? 


6 THE WITNESS: Well, it could be the legitimate 


7 activity, so it would -- if there was legitimate activity from, 


8 like, Ms. Soma, it would show that, or it would show 


9 illegitimate -- 


01:07 10 THE COURT: It can either be the intruder or the one 


11 intruded upon? 


12 THE WITNESS: Sure. 


13 THE COURT: And there's no way of telling from here? 


14 MR. NEMTSEV: No, Your Honor, this is only for the 


16 THE I'm asking him. Can you tell what it is 


Ly from here? 


18 THE WITNESS: No, no. This is just a snippet of a 


19 Korea attribute. 


01:07 20 THE COURT: Of a what? 


21 THE WITNESS: South Korea's information. 


22 THE COURT: He doesn't know what it denotes. 


23 BY MR. NEMTSEV: 


24 O. You don't know that this is the IP location data for the 


25 IP that was used to access the server? 
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£ 


1. A. So we didn't use this information during our 


2 investigation. We didn't analyze this. 


3 Q. You didn't analyze whether this IP came from, let's Say, a 


4 location that Julia Soma does not work from? You've never used 


3 that? 


6 : We didn't use this for that information. 


7 : Did you use a different system to determine that? 

8 : We did. 

9 : What system did you use? 
01:08 10 : We used a tool called DomainTools, another tool called 
11 CentralOps that would -- 
12 Q. And did DomainTools provide results that are consistent 
13 with these logs? 
14 A. We didn't do that analysis. 


15 THE COURT: Okay. He doesn't know. If you have an 


16 expert, maybe your expert can put it in, but -- okay. But you 


ay can ask other questions. Thank you. I'll see you tomorrow 


18 morning. 


19 WITNESS: Yes, ma'am. 


01:08 20 COURT: How much longer do you have? 


21 . NEMTSEV: Fifteen minutes, maybe less. 


22 COURT: Fifteen. 


23 much on redirect? 


24 MR. KOSTO: It depends on what happens tomorrow 


25 morning, but no more than that. 
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1 THE COURT: What? 


2 MR. KOSTO: Depends on what happens, but no more than 


4 THE COURT: I'm sorry you have to stay over. It's 


5 really going to be an utterly miserable day here with freezing 


6 cold, snow, and it's just horrible, but —- 


7 THE WITNESS: But you have good clam chowder, so 


8 okay with it. 


9 THE COURT: You're stuck here. It could be worse. 


01:09 10 could be Friday where it's going to be zero. 


11 MR. KOSTO: Your Honor, I think we'll cover 


12 tomorrow -—- assuming we finish up with Mr. Hartvigsen, we'll 


13 cover Mr. Garabo; Ms. Soma, whose use we've been talking about; 


14 Ms. Han, whose use we've been talking about; and Mr. Lewis, 


15 whose use we've been talking about. I think that will carry 
16 the day. 


17 THE COURT: Assuming that the jurors get here on time. 


18 I really do like to accommodate people from out of 


19 town. So if you let me know someone could be on a plane, just 


- 


for you, but you can't 


01:09 20 let me know. That may be more pressure 


21 say at ten of 1:00, Oh, he's from out of town. Okay? I can 


22 try and cut the break short or I can do other things to try and 
23 accommodate people. 


24 MR. KOSTO: All of those witnesses are out of town, 


25 I would expect, barring a late start, that we could do them 
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all tomorrow. 


THE COURT: Okay. Good. Thank you. 


(Proceedings adjourned at 1:09 p.m.) 
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